Table of Contents
Macie2.Client¶A low-level client representing Amazon Macie 2
Amazon Macie
import boto3
client = boto3.client('macie2')
These are the available methods:
accept_invitation()batch_get_custom_data_identifiers()can_paginate()close()create_allow_list()create_classification_job()create_custom_data_identifier()create_findings_filter()create_invitations()create_member()create_sample_findings()decline_invitations()delete_allow_list()delete_custom_data_identifier()delete_findings_filter()delete_invitations()delete_member()describe_buckets()describe_classification_job()describe_organization_configuration()disable_macie()disable_organization_admin_account()disassociate_from_administrator_account()disassociate_from_master_account()disassociate_member()enable_macie()enable_organization_admin_account()get_administrator_account()get_allow_list()get_automated_discovery_configuration()get_bucket_statistics()get_classification_export_configuration()get_classification_scope()get_custom_data_identifier()get_finding_statistics()get_findings()get_findings_filter()get_findings_publication_configuration()get_invitations_count()get_macie_session()get_master_account()get_member()get_paginator()get_resource_profile()get_reveal_configuration()get_sensitive_data_occurrences()get_sensitive_data_occurrences_availability()get_sensitivity_inspection_template()get_usage_statistics()get_usage_totals()get_waiter()list_allow_lists()list_classification_jobs()list_classification_scopes()list_custom_data_identifiers()list_findings()list_findings_filters()list_invitations()list_managed_data_identifiers()list_members()list_organization_admin_accounts()list_resource_profile_artifacts()list_resource_profile_detections()list_sensitivity_inspection_templates()list_tags_for_resource()put_classification_export_configuration()put_findings_publication_configuration()search_resources()tag_resource()test_custom_data_identifier()untag_resource()update_allow_list()update_automated_discovery_configuration()update_classification_job()update_classification_scope()update_findings_filter()update_macie_session()update_member_session()update_organization_configuration()update_resource_profile()update_resource_profile_detections()update_reveal_configuration()update_sensitivity_inspection_template()accept_invitation(**kwargs)¶Accepts an Amazon Macie membership invitation that was received from a specific account.
See also: AWS API Documentation
Request Syntax
response = client.accept_invitation(
administratorAccountId='string',
invitationId='string',
masterAccount='string'
)
[REQUIRED]
The unique identifier for the invitation to accept.
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionbatch_get_custom_data_identifiers(**kwargs)¶Retrieves information about one or more custom data identifiers.
See also: AWS API Documentation
Request Syntax
response = client.batch_get_custom_data_identifiers(
ids=[
'string',
]
)
An array of custom data identifier IDs, one for each custom data identifier to retrieve information about.
{
'customDataIdentifiers': [
{
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'deleted': True|False,
'description': 'string',
'id': 'string',
'name': 'string'
},
],
'notFoundIdentifierIds': [
'string',
]
}
Response Structure
The request succeeded.
An array of objects, one for each custom data identifier that matches the criteria specified in the request.
Provides information about a custom data identifier.
The Amazon Resource Name (ARN) of the custom data identifier.
The date and time, in UTC and extended ISO 8601 format, when the custom data identifier was created.
Specifies whether the custom data identifier was deleted. If you delete a custom data identifier, Amazon Macie doesn't delete it permanently. Instead, it soft deletes the identifier.
The custom description of the custom data identifier.
The unique identifier for the custom data identifier.
The custom name of the custom data identifier.
An array of custom data identifier IDs, one for each custom data identifier that was specified in the request but doesn't correlate to an existing custom data identifier.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptioncan_paginate(operation_name)¶Check if an operation can be paginated.
create_foo, and you'd normally invoke the
operation as client.create_foo(**kwargs), if the
create_foo operation can be paginated, you can use the
call client.get_paginator("create_foo").True if the operation can be paginated,
False otherwise.close()¶Closes underlying endpoint connections.
create_allow_list(**kwargs)¶Creates and defines the settings for an allow list.
See also: AWS API Documentation
Request Syntax
response = client.create_allow_list(
clientToken='string',
criteria={
'regex': 'string',
's3WordsList': {
'bucketName': 'string',
'objectKey': 'string'
}
},
description='string',
name='string',
tags={
'string': 'string'
}
)
[REQUIRED]
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
[REQUIRED]
The criteria that specify the text or text pattern to ignore. The criteria can be the location and name of an S3 object that lists specific text to ignore (s3WordsList), or a regular expression (regex) that defines a text pattern to ignore.
The regular expression (regex ) that defines the text pattern to ignore. The expression can contain as many as 512 characters.
The location and name of the S3 object that lists specific text to ignore.
The full name of the S3 bucket that contains the object.
The full name (key) of the object.
[REQUIRED]
A custom name for the allow list. The name can contain as many as 128 characters.
A map of key-value pairs that specifies the tags to associate with the allow list.
An allow list can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
dict
Response Syntax
{
'arn': 'string',
'id': 'string'
}
Response Structure
(dict) --
The request succeeded. The specified allow list was created.
arn (string) --
The Amazon Resource Name (ARN) of the allow list.
id (string) --
The unique identifier for the allow list.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptioncreate_classification_job(**kwargs)¶Creates and defines the settings for a classification job.
See also: AWS API Documentation
Request Syntax
response = client.create_classification_job(
allowListIds=[
'string',
],
clientToken='string',
customDataIdentifierIds=[
'string',
],
description='string',
initialRun=True|False,
jobType='ONE_TIME'|'SCHEDULED',
managedDataIdentifierIds=[
'string',
],
managedDataIdentifierSelector='ALL'|'EXCLUDE'|'INCLUDE'|'NONE',
name='string',
s3JobDefinition={
'bucketCriteria': {
'excludes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
},
'includes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
}
},
'bucketDefinitions': [
{
'accountId': 'string',
'buckets': [
'string',
]
},
],
'scoping': {
'excludes': {
'and': [
{
'simpleScopeTerm': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'OBJECT_EXTENSION'|'OBJECT_LAST_MODIFIED_DATE'|'OBJECT_SIZE'|'OBJECT_KEY',
'values': [
'string',
]
},
'tagScopeTerm': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'string',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
],
'target': 'S3_OBJECT'
}
},
]
},
'includes': {
'and': [
{
'simpleScopeTerm': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'OBJECT_EXTENSION'|'OBJECT_LAST_MODIFIED_DATE'|'OBJECT_SIZE'|'OBJECT_KEY',
'values': [
'string',
]
},
'tagScopeTerm': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'string',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
],
'target': 'S3_OBJECT'
}
},
]
}
}
},
samplingPercentage=123,
scheduleFrequency={
'dailySchedule': {}
,
'monthlySchedule': {
'dayOfMonth': 123
},
'weeklySchedule': {
'dayOfWeek': 'SUNDAY'|'MONDAY'|'TUESDAY'|'WEDNESDAY'|'THURSDAY'|'FRIDAY'|'SATURDAY'
}
},
tags={
'string': 'string'
}
)
An array of unique identifiers, one for each allow list for the job to use when it analyzes data.
[REQUIRED]
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
An array of unique identifiers, one for each custom data identifier for the job to use when it analyzes data. To use only managed data identifiers, don't specify a value for this property and specify a value other than NONE for the managedDataIdentifierSelector property.
For a recurring job, specifies whether to analyze all existing, eligible objects immediately after the job is created (true). To analyze only those objects that are created or changed after you create the job and before the job's first scheduled run, set this value to false.
If you configure the job to run only once, don't specify a value for this property.
[REQUIRED]
The schedule for running the job. Valid values are:
An array of unique identifiers, one for each managed data identifier for the job to include (use) or exclude (not use) when it analyzes data. Inclusion or exclusion depends on the managed data identifier selection type that you specify for the job (managedDataIdentifierSelector).
To retrieve a list of valid values for this property, use the ListManagedDataIdentifiers operation.
The selection type to apply when determining which managed data identifiers the job uses to analyze data. Valid values are:
If you don't specify a value for this property, the job uses all managed data identifiers. If you don't specify a value for this property or you specify ALL or EXCLUDE for a recurring job, the job also uses new managed data identifiers as they are released.
[REQUIRED]
A custom name for the job. The name can contain as many as 500 characters.
[REQUIRED]
The S3 buckets that contain the objects to analyze, and the scope of that analysis.
The property- and tag-based conditions that determine which S3 buckets to include or exclude from the analysis. Each time the job runs, the job uses these criteria to determine which buckets contain objects to analyze. A job's definition can contain a bucketCriteria object or a bucketDefinitions array, not both.
The property- and tag-based conditions that determine which buckets to exclude from the job.
An array of conditions, one for each condition that determines which buckets to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 buckets from a classification job.
A property-based condition that defines a property, operator, and one or more values for including or excluding buckets from the job.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The property to use in the condition.
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in these values.
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding buckets from the job.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The tag keys, tag values, or tag key and value pairs to use in the condition.
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based condition that determines whether an S3 bucket is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
The value for the tag key to use in the condition.
The tag value to use in the condition.
The property- and tag-based conditions that determine which buckets to include in the job.
An array of conditions, one for each condition that determines which buckets to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 buckets from a classification job.
A property-based condition that defines a property, operator, and one or more values for including or excluding buckets from the job.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The property to use in the condition.
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in these values.
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding buckets from the job.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The tag keys, tag values, or tag key and value pairs to use in the condition.
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based condition that determines whether an S3 bucket is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
The value for the tag key to use in the condition.
The tag value to use in the condition.
An array of objects, one for each Amazon Web Services account that owns specific S3 buckets to analyze. Each object specifies the account ID for an account and one or more buckets to analyze for that account. A job's definition can contain a bucketDefinitions array or a bucketCriteria object, not both.
Specifies an Amazon Web Services account that owns S3 buckets for a classification job to analyze, and one or more specific buckets to analyze for that account.
The unique identifier for the Amazon Web Services account that owns the buckets.
An array that lists the names of the buckets.
The property- and tag-based conditions that determine which S3 objects to include or exclude from the analysis. Each time the job runs, the job uses these criteria to determine which objects to analyze.
The property- and tag-based conditions that determine which objects to exclude from the analysis.
An array of conditions, one for each property- or tag-based condition that determines which objects to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 objects from a classification job. A JobScopeTerm object can contain only one simpleScopeTerm object or one tagScopeTerm object.
A property-based condition that defines a property, operator, and one or more values for including or excluding objects from the job.
The operator to use in the condition. Valid values for each supported property (key) are:
The object property to use in the condition.
An array that lists the values to use in the condition. If the value for the key property is OBJECT_EXTENSION or OBJECT_KEY, this array can specify multiple values and Amazon Macie uses OR logic to join the values. Otherwise, this array can specify only one value.
Valid values for each supported property (key) are:
Macie doesn't support use of wildcard characters in these values. Also, string values are case sensitive.
A tag-based condition that defines the operator and tag keys or tag key and value pairs for including or excluding objects from the job.
The operator to use in the condition. Valid values are EQ (equals) or NE (not equals).
The object property to use in the condition. The only valid value is TAG.
The tag keys or tag key and value pairs to use in the condition. To specify only tag keys in a condition, specify the keys in this array and set the value for each associated tag value to an empty string.
Specifies a tag key or tag key and value pair to use in a tag-based condition that determines whether an S3 object is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
The value for the tag key to use in the condition.
The tag value, associated with the specified tag key (key), to use in the condition. To specify only a tag key for a condition, specify the tag key for the key property and set this value to an empty string.
The type of object to apply the condition to.
The property- and tag-based conditions that determine which objects to include in the analysis.
An array of conditions, one for each property- or tag-based condition that determines which objects to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 objects from a classification job. A JobScopeTerm object can contain only one simpleScopeTerm object or one tagScopeTerm object.
A property-based condition that defines a property, operator, and one or more values for including or excluding objects from the job.
The operator to use in the condition. Valid values for each supported property (key) are:
The object property to use in the condition.
An array that lists the values to use in the condition. If the value for the key property is OBJECT_EXTENSION or OBJECT_KEY, this array can specify multiple values and Amazon Macie uses OR logic to join the values. Otherwise, this array can specify only one value.
Valid values for each supported property (key) are:
Macie doesn't support use of wildcard characters in these values. Also, string values are case sensitive.
A tag-based condition that defines the operator and tag keys or tag key and value pairs for including or excluding objects from the job.
The operator to use in the condition. Valid values are EQ (equals) or NE (not equals).
The object property to use in the condition. The only valid value is TAG.
The tag keys or tag key and value pairs to use in the condition. To specify only tag keys in a condition, specify the keys in this array and set the value for each associated tag value to an empty string.
Specifies a tag key or tag key and value pair to use in a tag-based condition that determines whether an S3 object is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
The value for the tag key to use in the condition.
The tag value, associated with the specified tag key (key), to use in the condition. To specify only a tag key for a condition, specify the tag key for the key property and set this value to an empty string.
The type of object to apply the condition to.
The recurrence pattern for running the job. To run the job only once, don't specify a value for this property and set the value for the jobType property to ONE_TIME.
Specifies a daily recurrence pattern for running the job.
Specifies a monthly recurrence pattern for running the job.
The numeric day of the month when Amazon Macie runs the job. This value can be an integer from 1 through 31.
If this value exceeds the number of days in a certain month, Macie doesn't run the job that month. Macie runs the job only during months that have the specified day. For example, if this value is 31 and a month has only 30 days, Macie doesn't run the job that month. To run the job every month, specify a value that's less than 29.
Specifies a weekly recurrence pattern for running the job.
The day of the week when Amazon Macie runs the job.
A map of key-value pairs that specifies the tags to associate with the job.
A job can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
dict
Response Syntax
{
'jobArn': 'string',
'jobId': 'string'
}
Response Structure
(dict) --
The request succeeded. The specified job was created.
jobArn (string) --
The Amazon Resource Name (ARN) of the job.
jobId (string) --
The unique identifier for the job.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptioncreate_custom_data_identifier(**kwargs)¶Creates and defines the criteria and other settings for a custom data identifier.
See also: AWS API Documentation
Request Syntax
response = client.create_custom_data_identifier(
clientToken='string',
description='string',
ignoreWords=[
'string',
],
keywords=[
'string',
],
maximumMatchDistance=123,
name='string',
regex='string',
severityLevels=[
{
'occurrencesThreshold': 123,
'severity': 'LOW'|'MEDIUM'|'HIGH'
},
],
tags={
'string': 'string'
}
)
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
A custom description of the custom data identifier. The description can contain as many as 512 characters.
We strongly recommend that you avoid including any sensitive data in the description of a custom data identifier. Other users of your account might be able to see this description, depending on the actions that they're allowed to perform in Amazon Macie.
An array that lists specific character sequences (ignore words ) to exclude from the results. If the text matched by the regular expression contains any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4-90 UTF-8 characters. Ignore words are case sensitive.
An array that lists specific character sequences (keywords ), one of which must precede and be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.
[REQUIRED]
A custom name for the custom data identifier. The name can contain as many as 128 characters.
We strongly recommend that you avoid including any sensitive data in the name of a custom data identifier. Other users of your account might be able to see this name, depending on the actions that they're allowed to perform in Amazon Macie.
[REQUIRED]
The regular expression (regex ) that defines the pattern to match. The expression can contain as many as 512 characters.
The severity to assign to findings that the custom data identifier produces, based on the number of occurrences of text that matches the custom data identifier's detection criteria. You can specify as many as three SeverityLevel objects in this array, one for each severity: LOW, MEDIUM, or HIGH. If you specify more than one, the occurrences thresholds must be in ascending order by severity, moving from LOW to HIGH. For example, 1 for LOW, 50 for MEDIUM, and 100 for HIGH. If an S3 object contains fewer occurrences than the lowest specified threshold, Amazon Macie doesn't create a finding.
If you don't specify any values for this array, Macie creates findings for S3 objects that contain at least one occurrence of text that matches the detection criteria, and Macie assigns the MEDIUM severity to those findings.
Specifies a severity level for findings that a custom data identifier produces. A severity level determines which severity is assigned to the findings, based on the number of occurrences of text that matches the custom data identifier's detection criteria.
The minimum number of occurrences of text that must match the custom data identifier's detection criteria in order to produce a finding with the specified severity (severity).
The severity to assign to a finding: if the number of occurrences is greater than or equal to the specified threshold (occurrencesThreshold); and, if applicable, the number of occurrences is less than the threshold for the next consecutive severity level for the custom data identifier, moving from LOW to HIGH.
A map of key-value pairs that specifies the tags to associate with the custom data identifier.
A custom data identifier can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
dict
Response Syntax
{
'customDataIdentifierId': 'string'
}
Response Structure
(dict) --
The request succeeded. The specified custom data identifier was created.
customDataIdentifierId (string) --
The unique identifier for the custom data identifier that was created.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptioncreate_findings_filter(**kwargs)¶Creates and defines the criteria and other settings for a findings filter.
See also: AWS API Documentation
Request Syntax
response = client.create_findings_filter(
action='ARCHIVE'|'NOOP',
clientToken='string',
description='string',
findingCriteria={
'criterion': {
'string': {
'eq': [
'string',
],
'eqExactMatch': [
'string',
],
'gt': 123,
'gte': 123,
'lt': 123,
'lte': 123,
'neq': [
'string',
]
}
}
},
name='string',
position=123,
tags={
'string': 'string'
}
)
[REQUIRED]
The action to perform on findings that match the filter criteria (findingCriteria). Valid values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
A custom description of the filter. The description can contain as many as 512 characters.
We strongly recommend that you avoid including any sensitive data in the description of a filter. Other users of your account might be able to see this description, depending on the actions that they're allowed to perform in Amazon Macie.
[REQUIRED]
The criteria to use to filter findings.
A condition that specifies the property, operator, and one or more values to use to filter the results.
Specifies the operator to use in a property-based condition that filters the results of a query for findings. For detailed information and examples of each operator, see Fundamentals of filtering findings in the Amazon Macie User Guide .
The value for the property matches (equals) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
The value for the property exclusively matches (equals an exact match for) all the specified values. If you specify multiple values, Amazon Macie uses AND logic to join the values.
You can use this operator with the following properties: customDataIdentifiers.detections.arn, customDataIdentifiers.detections.name, resourcesAffected.s3Bucket.tags.key, resourcesAffected.s3Bucket.tags.value, resourcesAffected.s3Object.tags.key, resourcesAffected.s3Object.tags.value, sensitiveData.category, and sensitiveData.detections.type.
The value for the property is greater than the specified value.
The value for the property is greater than or equal to the specified value.
The value for the property is less than the specified value.
The value for the property is less than or equal to the specified value.
The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
[REQUIRED]
A custom name for the filter. The name must contain at least 3 characters and can contain as many as 64 characters.
We strongly recommend that you avoid including any sensitive data in the name of a filter. Other users of your account might be able to see this name, depending on the actions that they're allowed to perform in Amazon Macie.
A map of key-value pairs that specifies the tags to associate with the filter.
A findings filter can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
dict
Response Syntax
{
'arn': 'string',
'id': 'string'
}
Response Structure
(dict) --
arn (string) --
The Amazon Resource Name (ARN) of the filter that was created.
id (string) --
The unique identifier for the filter that was created.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptioncreate_invitations(**kwargs)¶Sends an Amazon Macie membership invitation to one or more accounts.
See also: AWS API Documentation
Request Syntax
response = client.create_invitations(
accountIds=[
'string',
],
disableEmailNotification=True|False,
message='string'
)
[REQUIRED]
An array that lists Amazon Web Services account IDs, one for each account to send the invitation to.
dict
Response Syntax
{
'unprocessedAccounts': [
{
'accountId': 'string',
'errorCode': 'ClientError'|'InternalError',
'errorMessage': 'string'
},
]
}
Response Structure
(dict) --
The request succeeded. Processing might not be complete.
unprocessedAccounts (list) --
An array of objects, one for each account whose invitation hasn't been processed. Each object identifies the account and explains why the invitation hasn't been processed for the account.
(dict) --
Provides information about an account-related request that hasn't been processed.
accountId (string) --
The Amazon Web Services account ID for the account that the request applies to.
errorCode (string) --
The source of the issue or delay in processing the request.
errorMessage (string) --
The reason why the request hasn't been processed.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptioncreate_member(**kwargs)¶Associates an account with an Amazon Macie administrator account.
See also: AWS API Documentation
Request Syntax
response = client.create_member(
account={
'accountId': 'string',
'email': 'string'
},
tags={
'string': 'string'
}
)
[REQUIRED]
The details of the account to associate with the administrator account.
The Amazon Web Services account ID for the account.
The email address for the account.
A map of key-value pairs that specifies the tags to associate with the account in Amazon Macie.
An account can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
dict
Response Syntax
{
'arn': 'string'
}
Response Structure
(dict) --
The request succeeded.
arn (string) --
The Amazon Resource Name (ARN) of the account that was associated with the administrator account.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptioncreate_sample_findings(**kwargs)¶Creates sample findings.
See also: AWS API Documentation
Request Syntax
response = client.create_sample_findings(
findingTypes=[
'SensitiveData:S3Object/Multiple'|'SensitiveData:S3Object/Financial'|'SensitiveData:S3Object/Personal'|'SensitiveData:S3Object/Credentials'|'SensitiveData:S3Object/CustomIdentifier'|'Policy:IAMUser/S3BucketPublic'|'Policy:IAMUser/S3BucketSharedExternally'|'Policy:IAMUser/S3BucketReplicatedExternally'|'Policy:IAMUser/S3BucketEncryptionDisabled'|'Policy:IAMUser/S3BlockPublicAccessDisabled'|'Policy:IAMUser/S3BucketSharedWithCloudFront',
]
)
An array of finding types, one for each type of sample finding to create. To create a sample of every type of finding that Amazon Macie supports, don't include this array in your request.
The type of finding. For details about each type, see Types of Amazon Macie findings in the Amazon Macie User Guide . Possible values are:
{}
Response Structure
The request succeeded and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondecline_invitations(**kwargs)¶Declines Amazon Macie membership invitations that were received from specific accounts.
See also: AWS API Documentation
Request Syntax
response = client.decline_invitations(
accountIds=[
'string',
]
)
[REQUIRED]
An array that lists Amazon Web Services account IDs, one for each account that sent an invitation to decline.
{
'unprocessedAccounts': [
{
'accountId': 'string',
'errorCode': 'ClientError'|'InternalError',
'errorMessage': 'string'
},
]
}
Response Structure
The request succeeded. Processing might not be complete.
An array of objects, one for each account whose invitation hasn't been declined. Each object identifies the account and explains why the request hasn't been processed for that account.
Provides information about an account-related request that hasn't been processed.
The Amazon Web Services account ID for the account that the request applies to.
The source of the issue or delay in processing the request.
The reason why the request hasn't been processed.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondelete_allow_list(**kwargs)¶Deletes an allow list.
See also: AWS API Documentation
Request Syntax
response = client.delete_allow_list(
id='string',
ignoreJobChecks='string'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
Specifies whether to force deletion of the allow list, even if active classification jobs are configured to use the list.
When you try to delete an allow list, Amazon Macie checks for classification jobs that use the list and have a status other than COMPLETE or CANCELLED. By default, Macie rejects your request if any jobs meet these criteria. To skip these checks and delete the list, set this value to true. To delete the list only if no active jobs are configured to use it, set this value to false.
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded. The allow list was deleted and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptiondelete_custom_data_identifier(**kwargs)¶Soft deletes a custom data identifier.
See also: AWS API Documentation
Request Syntax
response = client.delete_custom_data_identifier(
id='string'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
{}
Response Structure
The request succeeded. The specified custom data identifier was deleted and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondelete_findings_filter(**kwargs)¶Deletes a findings filter.
See also: AWS API Documentation
Request Syntax
response = client.delete_findings_filter(
id='string'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
{}
Response Structure
The request succeeded. The specified findings filter was deleted and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondelete_invitations(**kwargs)¶Deletes Amazon Macie membership invitations that were received from specific accounts.
See also: AWS API Documentation
Request Syntax
response = client.delete_invitations(
accountIds=[
'string',
]
)
[REQUIRED]
An array that lists Amazon Web Services account IDs, one for each account that sent an invitation to delete.
{
'unprocessedAccounts': [
{
'accountId': 'string',
'errorCode': 'ClientError'|'InternalError',
'errorMessage': 'string'
},
]
}
Response Structure
The request succeeded. Processing might not be complete.
An array of objects, one for each account whose invitation hasn't been deleted. Each object identifies the account and explains why the request hasn't been processed for that account.
Provides information about an account-related request that hasn't been processed.
The Amazon Web Services account ID for the account that the request applies to.
The source of the issue or delay in processing the request.
The reason why the request hasn't been processed.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondelete_member(**kwargs)¶Deletes the association between an Amazon Macie administrator account and an account.
See also: AWS API Documentation
Request Syntax
response = client.delete_member(
id='string'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
{}
Response Structure
The request succeeded. The association was deleted and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondescribe_buckets(**kwargs)¶Retrieves (queries) statistical data and other information about one or more S3 buckets that Amazon Macie monitors and analyzes for an account.
See also: AWS API Documentation
Request Syntax
response = client.describe_buckets(
criteria={
'string': {
'eq': [
'string',
],
'gt': 123,
'gte': 123,
'lt': 123,
'lte': 123,
'neq': [
'string',
],
'prefix': 'string'
}
},
maxResults=123,
nextToken='string',
sortCriteria={
'attributeName': 'string',
'orderBy': 'ASC'|'DESC'
}
)
The criteria to use to filter the query results.
Specifies the operator to use in a property-based condition that filters the results of a query for information about S3 buckets.
The value for the property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
The value for the property is greater than the specified value.
The value for the property is greater than or equal to the specified value.
The value for the property is less than the specified value.
The value for the property is less than or equal to the specified value.
The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
The name of the bucket begins with the specified value.
The criteria to use to sort the query results.
The name of the bucket property to sort the results by. This value can be one of the following properties that Amazon Macie defines as bucket metadata: accountId, bucketName, classifiableObjectCount, classifiableSizeInBytes, objectCount, sensitivityScore, or sizeInBytes.
The sort order to apply to the results, based on the value specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
dict
Response Syntax
{
'buckets': [
{
'accountId': 'string',
'allowsUnencryptedObjectUploads': 'TRUE'|'FALSE'|'UNKNOWN',
'bucketArn': 'string',
'bucketCreatedAt': datetime(2015, 1, 1),
'bucketName': 'string',
'classifiableObjectCount': 123,
'classifiableSizeInBytes': 123,
'errorCode': 'ACCESS_DENIED',
'errorMessage': 'string',
'jobDetails': {
'isDefinedInJob': 'TRUE'|'FALSE'|'UNKNOWN',
'isMonitoredByJob': 'TRUE'|'FALSE'|'UNKNOWN',
'lastJobId': 'string',
'lastJobRunTime': datetime(2015, 1, 1)
},
'lastAutomatedDiscoveryTime': datetime(2015, 1, 1),
'lastUpdated': datetime(2015, 1, 1),
'objectCount': 123,
'objectCountByEncryptionType': {
'customerManaged': 123,
'kmsManaged': 123,
's3Managed': 123,
'unencrypted': 123,
'unknown': 123
},
'publicAccess': {
'effectivePermission': 'PUBLIC'|'NOT_PUBLIC'|'UNKNOWN',
'permissionConfiguration': {
'accountLevelPermissions': {
'blockPublicAccess': {
'blockPublicAcls': True|False,
'blockPublicPolicy': True|False,
'ignorePublicAcls': True|False,
'restrictPublicBuckets': True|False
}
},
'bucketLevelPermissions': {
'accessControlList': {
'allowsPublicReadAccess': True|False,
'allowsPublicWriteAccess': True|False
},
'blockPublicAccess': {
'blockPublicAcls': True|False,
'blockPublicPolicy': True|False,
'ignorePublicAcls': True|False,
'restrictPublicBuckets': True|False
},
'bucketPolicy': {
'allowsPublicReadAccess': True|False,
'allowsPublicWriteAccess': True|False
}
}
}
},
'region': 'string',
'replicationDetails': {
'replicated': True|False,
'replicatedExternally': True|False,
'replicationAccounts': [
'string',
]
},
'sensitivityScore': 123,
'serverSideEncryption': {
'kmsMasterKeyId': 'string',
'type': 'NONE'|'AES256'|'aws:kms'
},
'sharedAccess': 'EXTERNAL'|'INTERNAL'|'NOT_SHARED'|'UNKNOWN',
'sizeInBytes': 123,
'sizeInBytesCompressed': 123,
'tags': [
{
'key': 'string',
'value': 'string'
},
],
'unclassifiableObjectCount': {
'fileType': 123,
'storageClass': 123,
'total': 123
},
'unclassifiableObjectSizeInBytes': {
'fileType': 123,
'storageClass': 123,
'total': 123
},
'versioning': True|False
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
buckets (list) --
An array of objects, one for each bucket that matches the filter criteria specified in the request.
(dict) --
Provides statistical data and other information about an S3 bucket that Amazon Macie monitors and analyzes for your account. By default, object count and storage size values include data for object parts that are the result of incomplete multipart uploads. For more information, see How Macie monitors Amazon S3 data security in the Amazon Macie User Guide .
If an error occurs when Macie attempts to retrieve and process metadata from Amazon S3 for the bucket or the bucket's objects, the value for the versioning property is false and the value for most other properties is null. Key exceptions are accountId, bucketArn, bucketCreatedAt, bucketName, lastUpdated, and region. To identify the cause of the error, refer to the errorCode and errorMessage values.
accountId (string) --
The unique identifier for the Amazon Web Services account that owns the bucket.
allowsUnencryptedObjectUploads (string) --
Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are uploaded to the bucket. Possible values are:
Valid server-side encryption headers are: x-amz-server-side-encryption with a value of AES256 or aws:kms, and x-amz-server-side-encryption-customer-algorithm with a value of AES256.
bucketArn (string) --
The Amazon Resource Name (ARN) of the bucket.
bucketCreatedAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the bucket was created. This value can also indicate when changes such as edits to the bucket's policy were most recently made to the bucket.
bucketName (string) --
The name of the bucket.
classifiableObjectCount (integer) --
The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
classifiableSizeInBytes (integer) --
The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
errorCode (string) --
The error code for an error that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. If this value is ACCESS_DENIED, Macie doesn't have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request. If this value is null, Macie was able to retrieve and process the information.
errorMessage (string) --
A brief description of the error (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. This value is null if Macie was able to retrieve and process the information.
jobDetails (dict) --
Specifies whether any one-time or recurring classification jobs are configured to analyze data in the bucket, and, if so, the details of the job that ran most recently.
isDefinedInJob (string) --
Specifies whether any one-time or recurring jobs are configured to analyze data in the bucket. Possible values are:
isMonitoredByJob (string) --
Specifies whether any recurring jobs are configured to analyze data in the bucket. Possible values are:
lastJobId (string) --
The unique identifier for the job that ran most recently and is configured to analyze data in the bucket, either the latest run of a recurring job or the only run of a one-time job.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
lastJobRunTime (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the job (lastJobId) started. If the job is a recurring job, this value indicates when the most recent run started.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
lastAutomatedDiscoveryTime (datetime) --
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed data in the bucket while performing automated sensitive data discovery for your account. This value is null if automated sensitive data discovery is currently disabled for your account.
lastUpdated (datetime) --
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved bucket or object metadata from Amazon S3 for the bucket.
objectCount (integer) --
The total number of objects in the bucket.
objectCountByEncryptionType (dict) --
The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren't encrypted or use client-side encryption.
customerManaged (integer) --
The total number of objects that are encrypted with a customer-provided key. The objects use customer-provided server-side encryption (SSE-C).
kmsManaged (integer) --
The total number of objects that are encrypted with an KMS key, either an Amazon Web Services managed key or a customer managed key. The objects use KMS encryption (SSE-KMS).
s3Managed (integer) --
The total number of objects that are encrypted with an Amazon S3 managed key. The objects use Amazon S3 managed encryption (SSE-S3).
unencrypted (integer) --
The total number of objects that aren't encrypted or use client-side encryption.
unknown (integer) --
The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.
publicAccess (dict) --
Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket, and provides information about those settings.
effectivePermission (string) --
Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket. Possible values are:
permissionConfiguration (dict) --
The account-level and bucket-level permissions settings for the bucket.
accountLevelPermissions (dict) --
The account-level permissions settings that apply to the bucket.
blockPublicAccess (dict) --
The block public access settings for the Amazon Web Services account that owns the bucket.
blockPublicAcls (boolean) --
Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.
blockPublicPolicy (boolean) --
Specifies whether Amazon S3 blocks public bucket policies for the bucket.
ignorePublicAcls (boolean) --
Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.
restrictPublicBuckets (boolean) --
Specifies whether Amazon S3 restricts public bucket policies for the bucket.
bucketLevelPermissions (dict) --
The bucket-level permissions settings for the bucket.
accessControlList (dict) --
The permissions settings of the access control list (ACL) for the bucket. This value is null if an ACL hasn't been defined for the bucket.
allowsPublicReadAccess (boolean) --
Specifies whether the ACL grants the general public with read access permissions for the bucket.
allowsPublicWriteAccess (boolean) --
Specifies whether the ACL grants the general public with write access permissions for the bucket.
blockPublicAccess (dict) --
The block public access settings for the bucket.
blockPublicAcls (boolean) --
Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.
blockPublicPolicy (boolean) --
Specifies whether Amazon S3 blocks public bucket policies for the bucket.
ignorePublicAcls (boolean) --
Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.
restrictPublicBuckets (boolean) --
Specifies whether Amazon S3 restricts public bucket policies for the bucket.
bucketPolicy (dict) --
The permissions settings of the bucket policy for the bucket. This value is null if a bucket policy hasn't been defined for the bucket.
allowsPublicReadAccess (boolean) --
Specifies whether the bucket policy allows the general public to have read access to the bucket.
allowsPublicWriteAccess (boolean) --
Specifies whether the bucket policy allows the general public to have write access to the bucket.
region (string) --
The Amazon Web Services Region that hosts the bucket.
replicationDetails (dict) --
Specifies whether the bucket is configured to replicate one or more objects to buckets for other Amazon Web Services accounts and, if so, which accounts.
replicated (boolean) --
Specifies whether the bucket is configured to replicate one or more objects to any destination.
replicatedExternally (boolean) --
Specifies whether the bucket is configured to replicate one or more objects to a bucket for an Amazon Web Services account that isn't part of your Amazon Macie organization. An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.
replicationAccounts (list) --
An array of Amazon Web Services account IDs, one for each Amazon Web Services account that owns a bucket that the bucket is configured to replicate one or more objects to.
sensitivityScore (integer) --
The sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive). This value is null if automated sensitive data discovery is currently disabled for your account.
serverSideEncryption (dict) --
Specifies whether the bucket encrypts new objects by default and, if so, the type of server-side encryption that's used.
kmsMasterKeyId (string) --
The Amazon Resource Name (ARN) or unique identifier (key ID) for the KMS key that's used by default to encrypt objects that are added to the bucket. This value is null if the bucket uses an Amazon S3 managed key to encrypt new objects or the bucket doesn't encrypt new objects by default.
type (string) --
The type of server-side encryption that's used by default when storing new objects in the bucket. Possible values are:
sharedAccess (string) --
Specifies whether the bucket is shared with another Amazon Web Services account, an Amazon CloudFront origin access identity (OAI), or a CloudFront origin access control (OAC). Possible values are:
An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.
sizeInBytes (integer) --
The total storage size, in bytes, of the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.
sizeInBytesCompressed (integer) --
The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
tags (list) --
An array that specifies the tags (keys and values) that are associated with the bucket.
(dict) --
Provides information about the tags that are associated with an S3 bucket or object. Each tag consists of a required tag key and an associated tag value.
key (string) --
One part of a key-value pair that comprises a tag. A tag key is a general label that acts as a category for more specific tag values.
value (string) --
One part of a key-value pair that comprises a tag. A tag value acts as a descriptor for a tag key. A tag value can be an empty string.
unclassifiableObjectCount (dict) --
The total number of objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
fileType (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
storageClass (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
total (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
unclassifiableObjectSizeInBytes (dict) --
The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
fileType (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
storageClass (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
total (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
versioning (boolean) --
Specifies whether versioning is enabled for the bucket.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondescribe_classification_job(**kwargs)¶Retrieves the status and settings for a classification job.
See also: AWS API Documentation
Request Syntax
response = client.describe_classification_job(
jobId='string'
)
[REQUIRED]
The unique identifier for the classification job.
{
'allowListIds': [
'string',
],
'clientToken': 'string',
'createdAt': datetime(2015, 1, 1),
'customDataIdentifierIds': [
'string',
],
'description': 'string',
'initialRun': True|False,
'jobArn': 'string',
'jobId': 'string',
'jobStatus': 'RUNNING'|'PAUSED'|'CANCELLED'|'COMPLETE'|'IDLE'|'USER_PAUSED',
'jobType': 'ONE_TIME'|'SCHEDULED',
'lastRunErrorStatus': {
'code': 'NONE'|'ERROR'
},
'lastRunTime': datetime(2015, 1, 1),
'managedDataIdentifierIds': [
'string',
],
'managedDataIdentifierSelector': 'ALL'|'EXCLUDE'|'INCLUDE'|'NONE',
'name': 'string',
's3JobDefinition': {
'bucketCriteria': {
'excludes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
},
'includes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
}
},
'bucketDefinitions': [
{
'accountId': 'string',
'buckets': [
'string',
]
},
],
'scoping': {
'excludes': {
'and': [
{
'simpleScopeTerm': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'OBJECT_EXTENSION'|'OBJECT_LAST_MODIFIED_DATE'|'OBJECT_SIZE'|'OBJECT_KEY',
'values': [
'string',
]
},
'tagScopeTerm': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'string',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
],
'target': 'S3_OBJECT'
}
},
]
},
'includes': {
'and': [
{
'simpleScopeTerm': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'OBJECT_EXTENSION'|'OBJECT_LAST_MODIFIED_DATE'|'OBJECT_SIZE'|'OBJECT_KEY',
'values': [
'string',
]
},
'tagScopeTerm': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'string',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
],
'target': 'S3_OBJECT'
}
},
]
}
}
},
'samplingPercentage': 123,
'scheduleFrequency': {
'dailySchedule': {},
'monthlySchedule': {
'dayOfMonth': 123
},
'weeklySchedule': {
'dayOfWeek': 'SUNDAY'|'MONDAY'|'TUESDAY'|'WEDNESDAY'|'THURSDAY'|'FRIDAY'|'SATURDAY'
}
},
'statistics': {
'approximateNumberOfObjectsToProcess': 123.0,
'numberOfRuns': 123.0
},
'tags': {
'string': 'string'
},
'userPausedDetails': {
'jobExpiresAt': datetime(2015, 1, 1),
'jobImminentExpirationHealthEventArn': 'string',
'jobPausedAt': datetime(2015, 1, 1)
}
}
Response Structure
The request succeeded.
An array of unique identifiers, one for each allow list that the job uses when it analyzes data.
The token that was provided to ensure the idempotency of the request to create the job.
The date and time, in UTC and extended ISO 8601 format, when the job was created.
An array of unique identifiers, one for each custom data identifier that the job uses when it analyzes data. This value is null if the job uses only managed data identifiers to analyze data.
The custom description of the job.
For a recurring job, specifies whether you configured the job to analyze all existing, eligible objects immediately after the job was created (true). If you configured the job to analyze only those objects that were created or changed after the job was created and before the job's first scheduled run, this value is false. This value is also false for a one-time job.
The Amazon Resource Name (ARN) of the job.
The unique identifier for the job.
The current status of the job. Possible values are:
The schedule for running the job. Possible values are:
Specifies whether any account- or bucket-level access errors occurred when the job ran. For a recurring job, this value indicates the error status of the job's most recent run.
Specifies whether any account- or bucket-level access errors occurred when the job ran. For a recurring job, this value indicates the error status of the job's most recent run. Possible values are:
The date and time, in UTC and extended ISO 8601 format, when the job started. If the job is a recurring job, this value indicates when the most recent run started or, if the job hasn't run yet, when the job was created.
An array of unique identifiers, one for each managed data identifier that the job is explicitly configured to include (use) or exclude (not use) when it analyzes data. Inclusion or exclusion depends on the managed data identifier selection type specified for the job (managedDataIdentifierSelector). This value is null if the job's managed data identifier selection type is ALL or the job uses only custom data identifiers (customDataIdentifierIds) to analyze data.
The selection type that determines which managed data identifiers the job uses to analyze data. Possible values are:
If this value is null, the job uses all managed data identifiers. If this value is null, ALL, or EXCLUDE for a recurring job, the job also uses new managed data identifiers as they are released.
The custom name of the job.
The S3 buckets that contain the objects to analyze, and the scope of that analysis.
The property- and tag-based conditions that determine which S3 buckets to include or exclude from the analysis. Each time the job runs, the job uses these criteria to determine which buckets contain objects to analyze. A job's definition can contain a bucketCriteria object or a bucketDefinitions array, not both.
The property- and tag-based conditions that determine which buckets to exclude from the job.
An array of conditions, one for each condition that determines which buckets to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 buckets from a classification job.
A property-based condition that defines a property, operator, and one or more values for including or excluding buckets from the job.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The property to use in the condition.
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in these values.
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding buckets from the job.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The tag keys, tag values, or tag key and value pairs to use in the condition.
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based condition that determines whether an S3 bucket is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
The value for the tag key to use in the condition.
The tag value to use in the condition.
The property- and tag-based conditions that determine which buckets to include in the job.
An array of conditions, one for each condition that determines which buckets to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 buckets from a classification job.
A property-based condition that defines a property, operator, and one or more values for including or excluding buckets from the job.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The property to use in the condition.
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in these values.
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding buckets from the job.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The tag keys, tag values, or tag key and value pairs to use in the condition.
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based condition that determines whether an S3 bucket is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
The value for the tag key to use in the condition.
The tag value to use in the condition.
An array of objects, one for each Amazon Web Services account that owns specific S3 buckets to analyze. Each object specifies the account ID for an account and one or more buckets to analyze for that account. A job's definition can contain a bucketDefinitions array or a bucketCriteria object, not both.
Specifies an Amazon Web Services account that owns S3 buckets for a classification job to analyze, and one or more specific buckets to analyze for that account.
The unique identifier for the Amazon Web Services account that owns the buckets.
An array that lists the names of the buckets.
The property- and tag-based conditions that determine which S3 objects to include or exclude from the analysis. Each time the job runs, the job uses these criteria to determine which objects to analyze.
The property- and tag-based conditions that determine which objects to exclude from the analysis.
An array of conditions, one for each property- or tag-based condition that determines which objects to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 objects from a classification job. A JobScopeTerm object can contain only one simpleScopeTerm object or one tagScopeTerm object.
A property-based condition that defines a property, operator, and one or more values for including or excluding objects from the job.
The operator to use in the condition. Valid values for each supported property (key) are:
The object property to use in the condition.
An array that lists the values to use in the condition. If the value for the key property is OBJECT_EXTENSION or OBJECT_KEY, this array can specify multiple values and Amazon Macie uses OR logic to join the values. Otherwise, this array can specify only one value.
Valid values for each supported property (key) are:
Macie doesn't support use of wildcard characters in these values. Also, string values are case sensitive.
A tag-based condition that defines the operator and tag keys or tag key and value pairs for including or excluding objects from the job.
The operator to use in the condition. Valid values are EQ (equals) or NE (not equals).
The object property to use in the condition. The only valid value is TAG.
The tag keys or tag key and value pairs to use in the condition. To specify only tag keys in a condition, specify the keys in this array and set the value for each associated tag value to an empty string.
Specifies a tag key or tag key and value pair to use in a tag-based condition that determines whether an S3 object is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
The value for the tag key to use in the condition.
The tag value, associated with the specified tag key (key), to use in the condition. To specify only a tag key for a condition, specify the tag key for the key property and set this value to an empty string.
The type of object to apply the condition to.
The property- and tag-based conditions that determine which objects to include in the analysis.
An array of conditions, one for each property- or tag-based condition that determines which objects to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 objects from a classification job. A JobScopeTerm object can contain only one simpleScopeTerm object or one tagScopeTerm object.
A property-based condition that defines a property, operator, and one or more values for including or excluding objects from the job.
The operator to use in the condition. Valid values for each supported property (key) are:
The object property to use in the condition.
An array that lists the values to use in the condition. If the value for the key property is OBJECT_EXTENSION or OBJECT_KEY, this array can specify multiple values and Amazon Macie uses OR logic to join the values. Otherwise, this array can specify only one value.
Valid values for each supported property (key) are:
Macie doesn't support use of wildcard characters in these values. Also, string values are case sensitive.
A tag-based condition that defines the operator and tag keys or tag key and value pairs for including or excluding objects from the job.
The operator to use in the condition. Valid values are EQ (equals) or NE (not equals).
The object property to use in the condition. The only valid value is TAG.
The tag keys or tag key and value pairs to use in the condition. To specify only tag keys in a condition, specify the keys in this array and set the value for each associated tag value to an empty string.
Specifies a tag key or tag key and value pair to use in a tag-based condition that determines whether an S3 object is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
The value for the tag key to use in the condition.
The tag value, associated with the specified tag key (key), to use in the condition. To specify only a tag key for a condition, specify the tag key for the key property and set this value to an empty string.
The type of object to apply the condition to.
The sampling depth, as a percentage, that determines the percentage of eligible objects that the job analyzes.
The recurrence pattern for running the job. This value is null if the job is configured to run only once.
Specifies a daily recurrence pattern for running the job.
Specifies a monthly recurrence pattern for running the job.
The numeric day of the month when Amazon Macie runs the job. This value can be an integer from 1 through 31.
If this value exceeds the number of days in a certain month, Macie doesn't run the job that month. Macie runs the job only during months that have the specified day. For example, if this value is 31 and a month has only 30 days, Macie doesn't run the job that month. To run the job every month, specify a value that's less than 29.
Specifies a weekly recurrence pattern for running the job.
The day of the week when Amazon Macie runs the job.
The number of times that the job has run and processing statistics for the job's current run.
The approximate number of objects that the job has yet to process during its current run.
The number of times that the job has run.
A map of key-value pairs that specifies which tags (keys and values) are associated with the classification job.
If the current status of the job is USER_PAUSED, specifies when the job was paused and when the job or job run will expire and be cancelled if it isn't resumed. This value is present only if the value for jobStatus is USER_PAUSED.
The date and time, in UTC and extended ISO 8601 format, when the job or job run will expire and be cancelled if you don't resume it first.
The Amazon Resource Name (ARN) of the Health event that Amazon Macie sent to notify you of the job or job run's pending expiration and cancellation. This value is null if a job has been paused for less than 23 days.
The date and time, in UTC and extended ISO 8601 format, when you paused the job.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondescribe_organization_configuration()¶Retrieves the Amazon Macie configuration settings for an organization in Organizations.
See also: AWS API Documentation
Request Syntax
response = client.describe_organization_configuration()
{
'autoEnable': True|False,
'maxAccountLimitReached': True|False
}
Response Structure
The request succeeded.
Specifies whether Amazon Macie is enabled automatically for accounts that are added to the organization.
Specifies whether the maximum number of Amazon Macie member accounts are part of the organization.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondisable_macie()¶Disables Amazon Macie and deletes all settings and resources for a Macie account.
See also: AWS API Documentation
Request Syntax
response = client.disable_macie()
{}
Response Structure
The request succeeded and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondisable_organization_admin_account(**kwargs)¶Disables an account as the delegated Amazon Macie administrator account for an organization in Organizations.
See also: AWS API Documentation
Request Syntax
response = client.disable_organization_admin_account(
adminAccountId='string'
)
[REQUIRED]
The Amazon Web Services account ID of the delegated Amazon Macie administrator account.
{}
Response Structure
The request succeeded and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondisassociate_from_administrator_account()¶Disassociates a member account from its Amazon Macie administrator account.
See also: AWS API Documentation
Request Syntax
response = client.disassociate_from_administrator_account()
{}
Response Structure
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondisassociate_from_master_account()¶(Deprecated) Disassociates a member account from its Amazon Macie administrator account. This operation has been replaced by the DisassociateFromAdministratorAccountoperation.
See also: AWS API Documentation
Request Syntax
response = client.disassociate_from_master_account()
{}
Response Structure
The request succeeded and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiondisassociate_member(**kwargs)¶Disassociates an Amazon Macie administrator account from a member account.
See also: AWS API Documentation
Request Syntax
response = client.disassociate_member(
id='string'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
{}
Response Structure
The request succeeded.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionenable_macie(**kwargs)¶Enables Amazon Macie and specifies the configuration settings for a Macie account.
See also: AWS API Documentation
Request Syntax
response = client.enable_macie(
clientToken='string',
findingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
status='PAUSED'|'ENABLED'
)
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionenable_organization_admin_account(**kwargs)¶Designates an account as the delegated Amazon Macie administrator account for an organization in Organizations.
See also: AWS API Documentation
Request Syntax
response = client.enable_organization_admin_account(
adminAccountId='string',
clientToken='string'
)
[REQUIRED]
The Amazon Web Services account ID for the account to designate as the delegated Amazon Macie administrator account for the organization.
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_administrator_account()¶Retrieves information about the Amazon Macie administrator account for an account.
See also: AWS API Documentation
Request Syntax
response = client.get_administrator_account()
{
'administrator': {
'accountId': 'string',
'invitationId': 'string',
'invitedAt': datetime(2015, 1, 1),
'relationshipStatus': 'Enabled'|'Paused'|'Invited'|'Created'|'Removed'|'Resigned'|'EmailVerificationInProgress'|'EmailVerificationFailed'|'RegionDisabled'|'AccountSuspended'
}
}
Response Structure
The Amazon Web Services account ID for the administrator account. If the accounts are associated by an Amazon Macie membership invitation, this object also provides details about the invitation that was sent to establish the relationship between the accounts.
The Amazon Web Services account ID for the account that sent the invitation.
The unique identifier for the invitation.
The date and time, in UTC and extended ISO 8601 format, when the invitation was sent.
The status of the relationship between the account that sent the invitation and the account that received the invitation.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_allow_list(**kwargs)¶Retrieves the settings and status of an allow list.
See also: AWS API Documentation
Request Syntax
response = client.get_allow_list(
id='string'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
{
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'criteria': {
'regex': 'string',
's3WordsList': {
'bucketName': 'string',
'objectKey': 'string'
}
},
'description': 'string',
'id': 'string',
'name': 'string',
'status': {
'code': 'OK'|'S3_OBJECT_NOT_FOUND'|'S3_USER_ACCESS_DENIED'|'S3_OBJECT_ACCESS_DENIED'|'S3_THROTTLED'|'S3_OBJECT_OVERSIZE'|'S3_OBJECT_EMPTY'|'UNKNOWN_ERROR',
'description': 'string'
},
'tags': {
'string': 'string'
},
'updatedAt': datetime(2015, 1, 1)
}
Response Structure
The request succeeded.
The Amazon Resource Name (ARN) of the allow list.
The date and time, in UTC and extended ISO 8601 format, when the allow list was created in Amazon Macie.
The criteria that specify the text or text pattern to ignore. The criteria can be the location and name of an S3 object that lists specific text to ignore (s3WordsList), or a regular expression (regex) that defines a text pattern to ignore.
The regular expression (regex ) that defines the text pattern to ignore. The expression can contain as many as 512 characters.
The location and name of the S3 object that lists specific text to ignore.
The full name of the S3 bucket that contains the object.
The full name (key) of the object.
The custom description of the allow list.
The unique identifier for the allow list.
The custom name of the allow list.
The current status of the allow list, which indicates whether Amazon Macie can access and use the list's criteria.
The current status of the allow list. If the list's criteria specify a regular expression (regex), this value is typically OK. Amazon Macie can compile the expression.
If the list's criteria specify an S3 object, possible values are:
A brief description of the status of the allow list. Amazon Macie uses this value to provide additional information about an error that occurred when Macie tried to access and use the list's criteria.
A map of key-value pairs that specifies which tags (keys and values) are associated with the allow list.
The date and time, in UTC and extended ISO 8601 format, when the allow list's settings were most recently changed in Amazon Macie.
Exceptions
Macie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionget_automated_discovery_configuration()¶Retrieves the configuration settings and status of automated sensitive data discovery for an account.
See also: AWS API Documentation
Request Syntax
response = client.get_automated_discovery_configuration()
{
'classificationScopeId': 'string',
'disabledAt': datetime(2015, 1, 1),
'firstEnabledAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1),
'sensitivityInspectionTemplateId': 'string',
'status': 'ENABLED'|'DISABLED'
}
Response Structure
The request succeeded.
The unique identifier for the classification scope that's used when performing automated sensitive data discovery for the account. The classification scope specifies S3 buckets to exclude from automated sensitive data discovery.
The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was most recently disabled for the account. This value is null if automated sensitive data discovery wasn't enabled and subsequently disabled for the account.
The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was initially enabled for the account. This value is null if automated sensitive data discovery has never been enabled for the account.
The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was most recently enabled or disabled for the account.
The unique identifier for the sensitivity inspection template that's used when performing automated sensitive data discovery for the account. The template specifies which allow lists, custom data identifiers, and managed data identifiers to use when analyzing data.
The current status of the automated sensitive data discovery configuration for the account. Possible values are: ENABLED, use the specified settings to perform automated sensitive data discovery activities for the account; and, DISABLED, don't perform automated sensitive data discovery activities for the account.
Exceptions
Macie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionget_bucket_statistics(**kwargs)¶Retrieves (queries) aggregated statistical data about all the S3 buckets that Amazon Macie monitors and analyzes for an account.
See also: AWS API Documentation
Request Syntax
response = client.get_bucket_statistics(
accountId='string'
)
{
'bucketCount': 123,
'bucketCountByEffectivePermission': {
'publiclyAccessible': 123,
'publiclyReadable': 123,
'publiclyWritable': 123,
'unknown': 123
},
'bucketCountByEncryptionType': {
'kmsManaged': 123,
's3Managed': 123,
'unencrypted': 123,
'unknown': 123
},
'bucketCountByObjectEncryptionRequirement': {
'allowsUnencryptedObjectUploads': 123,
'deniesUnencryptedObjectUploads': 123,
'unknown': 123
},
'bucketCountBySharedAccessType': {
'external': 123,
'internal': 123,
'notShared': 123,
'unknown': 123
},
'bucketStatisticsBySensitivity': {
'classificationError': {
'classifiableSizeInBytes': 123,
'publiclyAccessibleCount': 123,
'totalCount': 123,
'totalSizeInBytes': 123
},
'notClassified': {
'classifiableSizeInBytes': 123,
'publiclyAccessibleCount': 123,
'totalCount': 123,
'totalSizeInBytes': 123
},
'notSensitive': {
'classifiableSizeInBytes': 123,
'publiclyAccessibleCount': 123,
'totalCount': 123,
'totalSizeInBytes': 123
},
'sensitive': {
'classifiableSizeInBytes': 123,
'publiclyAccessibleCount': 123,
'totalCount': 123,
'totalSizeInBytes': 123
}
},
'classifiableObjectCount': 123,
'classifiableSizeInBytes': 123,
'lastUpdated': datetime(2015, 1, 1),
'objectCount': 123,
'sizeInBytes': 123,
'sizeInBytesCompressed': 123,
'unclassifiableObjectCount': {
'fileType': 123,
'storageClass': 123,
'total': 123
},
'unclassifiableObjectSizeInBytes': {
'fileType': 123,
'storageClass': 123,
'total': 123
}
}
Response Structure
The request succeeded.
The total number of buckets.
The total number of buckets that are publicly accessible due to a combination of permissions settings for each bucket.
The total number of buckets that allow the general public to have read or write access to the bucket.
The total number of buckets that allow the general public to have read access to the bucket.
The total number of buckets that allow the general public to have write access to the bucket.
The total number of buckets that Amazon Macie wasn't able to evaluate permissions settings for. Macie can't determine whether these buckets are publicly accessible.
The total number of buckets that use certain types of server-side encryption to encrypt new objects by default. This object also reports the total number of buckets that don't encrypt new objects by default.
The total number of buckets that use an KMS key to encrypt new objects by default, either an Amazon Web Services managed key or a customer managed key. These buckets use KMS encryption (SSE-KMS) by default.
The total number of buckets that use an Amazon S3 managed key to encrypt new objects by default. These buckets use Amazon S3 managed encryption (SSE-S3) by default.
The total number of buckets that don't encrypt new objects by default. Default encryption is disabled for these buckets.
The total number of buckets that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the default encryption settings for these buckets.
The total number of buckets whose bucket policies do or don't require server-side encryption of objects when objects are uploaded to the buckets.
The total number of buckets that don't have a bucket policy or have a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, the policy doesn't require PutObject requests to include a valid server-side encryption header: the x-amz-server-side-encryption header with a value of AES256 or aws:kms, or the x-amz-server-side-encryption-customer-algorithm header with a value of AES256.
The total number of buckets whose bucket policies require server-side encryption of new objects. PutObject requests for these buckets must include a valid server-side encryption header: the x-amz-server-side-encryption header with a value of AES256 or aws:kms, or the x-amz-server-side-encryption-customer-algorithm header with a value of AES256.
The total number of buckets that Amazon Macie wasn't able to evaluate server-side encryption requirements for. Macie can't determine whether the bucket policies for these buckets require server-side encryption of new objects.
The total number of buckets that are or aren't shared with other Amazon Web Services accounts, Amazon CloudFront origin access identities (OAIs), or CloudFront origin access controls (OACs).
The total number of buckets that are shared with one or more of the following or any combination of the following: an Amazon Web Services account that isn't in the same Amazon Macie organization, an Amazon CloudFront OAI, or a CloudFront OAC.
The total number of buckets that are shared with one or more Amazon Web Services accounts in the same Amazon Macie organization. These buckets aren't shared with Amazon CloudFront OAIs or OACs.
The total number of buckets that aren't shared with other Amazon Web Services accounts, Amazon CloudFront OAIs, or CloudFront OACs.
The total number of buckets that Amazon Macie wasn't able to evaluate shared access settings for. Macie can't determine whether these buckets are shared with other Amazon Web Services accounts, Amazon CloudFront OAIs, or CloudFront OACs.
The aggregated sensitive data discovery statistics for the buckets. If automated sensitive data discovery is currently disabled for your account, the value for each statistic is 0.
The aggregated statistical data for all buckets that have a sensitivity score of -1.
The total storage size, in bytes, of all the objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each applicable object in the buckets. This value doesn't reflect the storage size of all versions of all applicable objects in the buckets.
The total number of buckets that are publicly accessible due to a combination of permissions settings for each bucket.
The total number of buckets.
The total storage size, in bytes, of the buckets.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each object in the buckets. This value doesn't reflect the storage size of all versions of the objects in the buckets.
The aggregated statistical data for all buckets that have a sensitivity score of 50.
The total storage size, in bytes, of all the objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each applicable object in the buckets. This value doesn't reflect the storage size of all versions of all applicable objects in the buckets.
The total number of buckets that are publicly accessible due to a combination of permissions settings for each bucket.
The total number of buckets.
The total storage size, in bytes, of the buckets.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each object in the buckets. This value doesn't reflect the storage size of all versions of the objects in the buckets.
The aggregated statistical data for all buckets that have a sensitivity score of 1-49.
The total storage size, in bytes, of all the objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each applicable object in the buckets. This value doesn't reflect the storage size of all versions of all applicable objects in the buckets.
The total number of buckets that are publicly accessible due to a combination of permissions settings for each bucket.
The total number of buckets.
The total storage size, in bytes, of the buckets.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each object in the buckets. This value doesn't reflect the storage size of all versions of the objects in the buckets.
The aggregated statistical data for all buckets that have a sensitivity score of 51-100.
The total storage size, in bytes, of all the objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each applicable object in the buckets. This value doesn't reflect the storage size of all versions of all applicable objects in the buckets.
The total number of buckets that are publicly accessible due to a combination of permissions settings for each bucket.
The total number of buckets.
The total storage size, in bytes, of the buckets.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each object in the buckets. This value doesn't reflect the storage size of all versions of the objects in the buckets.
The total number of objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.
The total storage size, in bytes, of all the objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each applicable object in the buckets. This value doesn't reflect the storage size of all versions of all applicable objects in the buckets.
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved bucket or object metadata from Amazon S3 for the buckets.
The total number of objects in the buckets.
The total storage size, in bytes, of the buckets.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each object in the buckets. This value doesn't reflect the storage size of all versions of the objects in the buckets.
The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the buckets.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each applicable object in the buckets. This value doesn't reflect the storage size of all versions of the applicable objects in the buckets.
The total number of objects that Amazon Macie can't analyze in the buckets. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the buckets. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_classification_export_configuration()¶Retrieves the configuration settings for storing data classification results.
See also: AWS API Documentation
Request Syntax
response = client.get_classification_export_configuration()
{
'configuration': {
's3Destination': {
'bucketName': 'string',
'keyPrefix': 'string',
'kmsKeyArn': 'string'
}
}
}
Response Structure
The request succeeded.
The location where data classification results are stored, and the encryption settings that are used when storing results in that location.
The S3 bucket to store data classification results in, and the encryption settings to use when storing results in that bucket.
The name of the bucket.
The path prefix to use in the path to the location in the bucket. This prefix specifies where to store classification results in the bucket.
The Amazon Resource Name (ARN) of the customer managed KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric encryption KMS key that's in the same Amazon Web Services Region as the bucket.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_classification_scope(**kwargs)¶Retrieves the classification scope settings for an account.
See also: AWS API Documentation
Request Syntax
response = client.get_classification_scope(
id='string'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
{
'id': 'string',
'name': 'string',
's3': {
'excludes': {
'bucketNames': [
'string',
]
}
}
}
Response Structure
The request succeeded.
The unique identifier for the classification scope.
The name of the classification scope: automated-sensitive-data-discovery.
The S3 buckets that are excluded from automated sensitive data discovery.
The S3 buckets that are excluded.
An array of strings, one for each S3 bucket that is excluded. Each string is the full name of an excluded bucket.
The name of an S3 bucket.
Exceptions
Macie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionget_custom_data_identifier(**kwargs)¶Retrieves the criteria and other settings for a custom data identifier.
See also: AWS API Documentation
Request Syntax
response = client.get_custom_data_identifier(
id='string'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
{
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'deleted': True|False,
'description': 'string',
'id': 'string',
'ignoreWords': [
'string',
],
'keywords': [
'string',
],
'maximumMatchDistance': 123,
'name': 'string',
'regex': 'string',
'severityLevels': [
{
'occurrencesThreshold': 123,
'severity': 'LOW'|'MEDIUM'|'HIGH'
},
],
'tags': {
'string': 'string'
}
}
Response Structure
The request succeeded.
The Amazon Resource Name (ARN) of the custom data identifier.
The date and time, in UTC and extended ISO 8601 format, when the custom data identifier was created.
Specifies whether the custom data identifier was deleted. If you delete a custom data identifier, Amazon Macie doesn't delete it permanently. Instead, it soft deletes the identifier.
The custom description of the custom data identifier.
The unique identifier for the custom data identifier.
An array that lists specific character sequences (ignore words ) to exclude from the results. If the text matched by the regular expression contains any string in this array, Amazon Macie ignores it. Ignore words are case sensitive.
An array that lists specific character sequences (keywords ), one of which must precede and be within proximity (maximumMatchDistance) of the regular expression to match. Keywords aren't case sensitive.
The maximum number of characters that can exist between the end of at least one complete character sequence specified by the keywords array and the end of the text that matches the regex pattern. If a complete keyword precedes all the text that matches the pattern and the keyword is within the specified distance, Amazon Macie includes the result. Otherwise, Macie excludes the result.
The custom name of the custom data identifier.
The regular expression (regex ) that defines the pattern to match.
Specifies the severity that's assigned to findings that the custom data identifier produces, based on the number of occurrences of text that matches the custom data identifier's detection criteria. By default, Amazon Macie creates findings for S3 objects that contain at least one occurrence of text that matches the detection criteria, and Macie assigns the MEDIUM severity to those findings.
Specifies a severity level for findings that a custom data identifier produces. A severity level determines which severity is assigned to the findings, based on the number of occurrences of text that matches the custom data identifier's detection criteria.
The minimum number of occurrences of text that must match the custom data identifier's detection criteria in order to produce a finding with the specified severity (severity).
The severity to assign to a finding: if the number of occurrences is greater than or equal to the specified threshold (occurrencesThreshold); and, if applicable, the number of occurrences is less than the threshold for the next consecutive severity level for the custom data identifier, moving from LOW to HIGH.
A map of key-value pairs that identifies the tags (keys and values) that are associated with the custom data identifier.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_finding_statistics(**kwargs)¶Retrieves (queries) aggregated statistical data about findings.
See also: AWS API Documentation
Request Syntax
response = client.get_finding_statistics(
findingCriteria={
'criterion': {
'string': {
'eq': [
'string',
],
'eqExactMatch': [
'string',
],
'gt': 123,
'gte': 123,
'lt': 123,
'lte': 123,
'neq': [
'string',
]
}
}
},
groupBy='resourcesAffected.s3Bucket.name'|'type'|'classificationDetails.jobId'|'severity.description',
size=123,
sortCriteria={
'attributeName': 'groupKey'|'count',
'orderBy': 'ASC'|'DESC'
}
)
The criteria to use to filter the query results.
A condition that specifies the property, operator, and one or more values to use to filter the results.
Specifies the operator to use in a property-based condition that filters the results of a query for findings. For detailed information and examples of each operator, see Fundamentals of filtering findings in the Amazon Macie User Guide .
The value for the property matches (equals) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
The value for the property exclusively matches (equals an exact match for) all the specified values. If you specify multiple values, Amazon Macie uses AND logic to join the values.
You can use this operator with the following properties: customDataIdentifiers.detections.arn, customDataIdentifiers.detections.name, resourcesAffected.s3Bucket.tags.key, resourcesAffected.s3Bucket.tags.value, resourcesAffected.s3Object.tags.key, resourcesAffected.s3Object.tags.value, sensitiveData.category, and sensitiveData.detections.type.
The value for the property is greater than the specified value.
The value for the property is greater than or equal to the specified value.
The value for the property is less than the specified value.
The value for the property is less than or equal to the specified value.
The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
[REQUIRED]
The finding property to use to group the query results. Valid values are:
The criteria to use to sort the query results.
The grouping to sort the results by. Valid values are: count, sort the results by the number of findings in each group of results; and, groupKey, sort the results by the name of each group of results.
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
dict
Response Syntax
{
'countsByGroup': [
{
'count': 123,
'groupKey': 'string'
},
]
}
Response Structure
(dict) --
The request succeeded.
countsByGroup (list) --
An array of objects, one for each group of findings that matches the filter criteria specified in the request.
(dict) --
Provides a group of results for a query that retrieved aggregated statistical data about findings.
count (integer) --
The total number of findings in the group of query results.
groupKey (string) --
The name of the property that defines the group in the query results, as specified by the groupBy property in the query request.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_findings(**kwargs)¶Retrieves the details of one or more findings.
See also: AWS API Documentation
Request Syntax
response = client.get_findings(
findingIds=[
'string',
],
sortCriteria={
'attributeName': 'string',
'orderBy': 'ASC'|'DESC'
}
)
[REQUIRED]
An array of strings that lists the unique identifiers for the findings to retrieve. You can specify as many as 50 unique identifiers in this array.
The criteria for sorting the results of the request.
The name of the property to sort the results by. This value can be the name of any property that Amazon Macie defines for a finding.
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
dict
Response Syntax
{
'findings': [
{
'accountId': 'string',
'archived': True|False,
'category': 'CLASSIFICATION'|'POLICY',
'classificationDetails': {
'detailedResultsLocation': 'string',
'jobArn': 'string',
'jobId': 'string',
'originType': 'SENSITIVE_DATA_DISCOVERY_JOB'|'AUTOMATED_SENSITIVE_DATA_DISCOVERY',
'result': {
'additionalOccurrences': True|False,
'customDataIdentifiers': {
'detections': [
{
'arn': 'string',
'count': 123,
'name': 'string',
'occurrences': {
'cells': [
{
'cellReference': 'string',
'column': 123,
'columnName': 'string',
'row': 123
},
],
'lineRanges': [
{
'end': 123,
'start': 123,
'startColumn': 123
},
],
'offsetRanges': [
{
'end': 123,
'start': 123,
'startColumn': 123
},
],
'pages': [
{
'lineRange': {
'end': 123,
'start': 123,
'startColumn': 123
},
'offsetRange': {
'end': 123,
'start': 123,
'startColumn': 123
},
'pageNumber': 123
},
],
'records': [
{
'jsonPath': 'string',
'recordIndex': 123
},
]
}
},
],
'totalCount': 123
},
'mimeType': 'string',
'sensitiveData': [
{
'category': 'FINANCIAL_INFORMATION'|'PERSONAL_INFORMATION'|'CREDENTIALS'|'CUSTOM_IDENTIFIER',
'detections': [
{
'count': 123,
'occurrences': {
'cells': [
{
'cellReference': 'string',
'column': 123,
'columnName': 'string',
'row': 123
},
],
'lineRanges': [
{
'end': 123,
'start': 123,
'startColumn': 123
},
],
'offsetRanges': [
{
'end': 123,
'start': 123,
'startColumn': 123
},
],
'pages': [
{
'lineRange': {
'end': 123,
'start': 123,
'startColumn': 123
},
'offsetRange': {
'end': 123,
'start': 123,
'startColumn': 123
},
'pageNumber': 123
},
],
'records': [
{
'jsonPath': 'string',
'recordIndex': 123
},
]
},
'type': 'string'
},
],
'totalCount': 123
},
],
'sizeClassified': 123,
'status': {
'code': 'string',
'reason': 'string'
}
}
},
'count': 123,
'createdAt': datetime(2015, 1, 1),
'description': 'string',
'id': 'string',
'partition': 'string',
'policyDetails': {
'action': {
'actionType': 'AWS_API_CALL',
'apiCallDetails': {
'api': 'string',
'apiServiceName': 'string',
'firstSeen': datetime(2015, 1, 1),
'lastSeen': datetime(2015, 1, 1)
}
},
'actor': {
'domainDetails': {
'domainName': 'string'
},
'ipAddressDetails': {
'ipAddressV4': 'string',
'ipCity': {
'name': 'string'
},
'ipCountry': {
'code': 'string',
'name': 'string'
},
'ipGeoLocation': {
'lat': 123.0,
'lon': 123.0
},
'ipOwner': {
'asn': 'string',
'asnOrg': 'string',
'isp': 'string',
'org': 'string'
}
},
'userIdentity': {
'assumedRole': {
'accessKeyId': 'string',
'accountId': 'string',
'arn': 'string',
'principalId': 'string',
'sessionContext': {
'attributes': {
'creationDate': datetime(2015, 1, 1),
'mfaAuthenticated': True|False
},
'sessionIssuer': {
'accountId': 'string',
'arn': 'string',
'principalId': 'string',
'type': 'string',
'userName': 'string'
}
}
},
'awsAccount': {
'accountId': 'string',
'principalId': 'string'
},
'awsService': {
'invokedBy': 'string'
},
'federatedUser': {
'accessKeyId': 'string',
'accountId': 'string',
'arn': 'string',
'principalId': 'string',
'sessionContext': {
'attributes': {
'creationDate': datetime(2015, 1, 1),
'mfaAuthenticated': True|False
},
'sessionIssuer': {
'accountId': 'string',
'arn': 'string',
'principalId': 'string',
'type': 'string',
'userName': 'string'
}
}
},
'iamUser': {
'accountId': 'string',
'arn': 'string',
'principalId': 'string',
'userName': 'string'
},
'root': {
'accountId': 'string',
'arn': 'string',
'principalId': 'string'
},
'type': 'AssumedRole'|'IAMUser'|'FederatedUser'|'Root'|'AWSAccount'|'AWSService'
}
}
},
'region': 'string',
'resourcesAffected': {
's3Bucket': {
'allowsUnencryptedObjectUploads': 'TRUE'|'FALSE'|'UNKNOWN',
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'defaultServerSideEncryption': {
'encryptionType': 'NONE'|'AES256'|'aws:kms'|'UNKNOWN',
'kmsMasterKeyId': 'string'
},
'name': 'string',
'owner': {
'displayName': 'string',
'id': 'string'
},
'publicAccess': {
'effectivePermission': 'PUBLIC'|'NOT_PUBLIC'|'UNKNOWN',
'permissionConfiguration': {
'accountLevelPermissions': {
'blockPublicAccess': {
'blockPublicAcls': True|False,
'blockPublicPolicy': True|False,
'ignorePublicAcls': True|False,
'restrictPublicBuckets': True|False
}
},
'bucketLevelPermissions': {
'accessControlList': {
'allowsPublicReadAccess': True|False,
'allowsPublicWriteAccess': True|False
},
'blockPublicAccess': {
'blockPublicAcls': True|False,
'blockPublicPolicy': True|False,
'ignorePublicAcls': True|False,
'restrictPublicBuckets': True|False
},
'bucketPolicy': {
'allowsPublicReadAccess': True|False,
'allowsPublicWriteAccess': True|False
}
}
}
},
'tags': [
{
'key': 'string',
'value': 'string'
},
]
},
's3Object': {
'bucketArn': 'string',
'eTag': 'string',
'extension': 'string',
'key': 'string',
'lastModified': datetime(2015, 1, 1),
'path': 'string',
'publicAccess': True|False,
'serverSideEncryption': {
'encryptionType': 'NONE'|'AES256'|'aws:kms'|'UNKNOWN',
'kmsMasterKeyId': 'string'
},
'size': 123,
'storageClass': 'STANDARD'|'REDUCED_REDUNDANCY'|'STANDARD_IA'|'INTELLIGENT_TIERING'|'DEEP_ARCHIVE'|'ONEZONE_IA'|'GLACIER'|'GLACIER_IR'|'OUTPOSTS',
'tags': [
{
'key': 'string',
'value': 'string'
},
],
'versionId': 'string'
}
},
'sample': True|False,
'schemaVersion': 'string',
'severity': {
'description': 'Low'|'Medium'|'High',
'score': 123
},
'title': 'string',
'type': 'SensitiveData:S3Object/Multiple'|'SensitiveData:S3Object/Financial'|'SensitiveData:S3Object/Personal'|'SensitiveData:S3Object/Credentials'|'SensitiveData:S3Object/CustomIdentifier'|'Policy:IAMUser/S3BucketPublic'|'Policy:IAMUser/S3BucketSharedExternally'|'Policy:IAMUser/S3BucketReplicatedExternally'|'Policy:IAMUser/S3BucketEncryptionDisabled'|'Policy:IAMUser/S3BlockPublicAccessDisabled'|'Policy:IAMUser/S3BucketSharedWithCloudFront',
'updatedAt': datetime(2015, 1, 1)
},
]
}
Response Structure
(dict) --
The request succeeded.
findings (list) --
An array of objects, one for each finding that matches the criteria specified in the request.
(dict) --
Provides the details of a finding.
accountId (string) --
The unique identifier for the Amazon Web Services account that the finding applies to. This is typically the account that owns the affected resource.
archived (boolean) --
Specifies whether the finding is archived (suppressed).
category (string) --
The category of the finding. Possible values are: CLASSIFICATION, for a sensitive data finding; and, POLICY, for a policy finding.
classificationDetails (dict) --
The details of a sensitive data finding. This value is null for a policy finding.
detailedResultsLocation (string) --
The path to the folder or file in Amazon S3 that contains the corresponding sensitive data discovery result for the finding. If a finding applies to a large archive or compressed file, this value is the path to a folder. Otherwise, this value is the path to a file.
jobArn (string) --
The Amazon Resource Name (ARN) of the classification job that produced the finding. This value is null if the origin of the finding (originType) is AUTOMATED_SENSITIVE_DATA_DISCOVERY.
jobId (string) --
The unique identifier for the classification job that produced the finding. This value is null if the origin of the finding (originType) is AUTOMATED_SENSITIVE_DATA_DISCOVERY.
originType (string) --
Specifies how Amazon Macie found the sensitive data that produced the finding. Possible values are: SENSITIVE_DATA_DISCOVERY_JOB, for a classification job; and, AUTOMATED_SENSITIVE_DATA_DISCOVERY, for automated sensitive data discovery.
result (dict) --
The status and other details of the finding.
additionalOccurrences (boolean) --
Specifies whether Amazon Macie detected additional occurrences of sensitive data in the S3 object. A finding includes location data for a maximum of 15 occurrences of sensitive data.
This value can help you determine whether to investigate additional occurrences of sensitive data in an object. You can do this by referring to the corresponding sensitive data discovery result for the finding (ClassificationDetails.detailedResultsLocation).
customDataIdentifiers (dict) --
The custom data identifiers that detected the sensitive data and the number of occurrences of the data that they detected.
detections (list) --
The custom data identifiers that detected the data, and the number of occurrences of the data that each identifier detected.
(dict) --
Provides information about a custom data identifier that produced a sensitive data finding, and the sensitive data that it detected for the finding.
arn (string) --
The unique identifier for the custom data identifier.
count (integer) --
The total number of occurrences of the sensitive data that the custom data identifier detected.
name (string) --
The name of the custom data identifier.
occurrences (dict) --
The location of 1-15 occurrences of the sensitive data that the custom data identifier detected. A finding includes location data for a maximum of 15 occurrences of sensitive data.
cells (list) --
An array of objects, one for each occurrence of sensitive data in a Microsoft Excel workbook, CSV file, or TSV file. This value is null for all other types of files.
Each Cell object specifies a cell or field that contains the sensitive data.
(dict) --
Specifies the location of an occurrence of sensitive data in a Microsoft Excel workbook, CSV file, or TSV file.
cellReference (string) --
The location of the cell, as an absolute cell reference, that contains the sensitive data, for example Sheet2!C5 for cell C5 on Sheet2 in a Microsoft Excel workbook. This value is null for CSV and TSV files.
column (integer) --
The column number of the column that contains the sensitive data. For a Microsoft Excel workbook, this value correlates to the alphabetical character(s) for a column identifier, for example: 1 for column A, 2 for column B, and so on.
columnName (string) --
The name of the column that contains the sensitive data, if available.
row (integer) --
The row number of the row that contains the sensitive data.
lineRanges (list) --
An array of objects, one for each occurrence of sensitive data in an email message or a non-binary text file such as an HTML, TXT, or XML file. Each Range object specifies a line or inclusive range of lines that contains the sensitive data, and the position of the data on the specified line or lines.
This value is often null for file types that are supported by Cell, Page, or Record objects. Exceptions are the location of sensitive data in: unstructured sections of an otherwise structured file, such as a comment in a file; a malformed file that Amazon Macie analyzes as plain text; and, a CSV or TSV file that has any column names that contain sensitive data.
(dict) --
Specifies the location of an occurrence of sensitive data in an email message or a non-binary text file such as an HTML, TXT, or XML file.
end (integer) --
The number of lines from the beginning of the file to the end of the sensitive data.
start (integer) --
The number of lines from the beginning of the file to the beginning of the sensitive data.
startColumn (integer) --
The number of characters, with spaces and starting from 1, from the beginning of the first line that contains the sensitive data (start) to the beginning of the sensitive data.
offsetRanges (list) --
Reserved for future use.
(dict) --
Specifies the location of an occurrence of sensitive data in an email message or a non-binary text file such as an HTML, TXT, or XML file.
end (integer) --
The number of lines from the beginning of the file to the end of the sensitive data.
start (integer) --
The number of lines from the beginning of the file to the beginning of the sensitive data.
startColumn (integer) --
The number of characters, with spaces and starting from 1, from the beginning of the first line that contains the sensitive data (start) to the beginning of the sensitive data.
pages (list) --
An array of objects, one for each occurrence of sensitive data in an Adobe Portable Document Format file. This value is null for all other types of files.
Each Page object specifies a page that contains the sensitive data.
(dict) --
Specifies the location of an occurrence of sensitive data in an Adobe Portable Document Format file.
lineRange (dict) --
Reserved for future use.
end (integer) --
The number of lines from the beginning of the file to the end of the sensitive data.
start (integer) --
The number of lines from the beginning of the file to the beginning of the sensitive data.
startColumn (integer) --
The number of characters, with spaces and starting from 1, from the beginning of the first line that contains the sensitive data (start) to the beginning of the sensitive data.
offsetRange (dict) --
Reserved for future use.
end (integer) --
The number of lines from the beginning of the file to the end of the sensitive data.
start (integer) --
The number of lines from the beginning of the file to the beginning of the sensitive data.
startColumn (integer) --
The number of characters, with spaces and starting from 1, from the beginning of the first line that contains the sensitive data (start) to the beginning of the sensitive data.
pageNumber (integer) --
The page number of the page that contains the sensitive data.
records (list) --
An array of objects, one for each occurrence of sensitive data in an Apache Avro object container, Apache Parquet file, JSON file, or JSON Lines file. This value is null for all other types of files.
For an Avro object container or Parquet file, each Record object specifies a record index and the path to a field in a record that contains the sensitive data. For a JSON or JSON Lines file, each Record object specifies the path to a field or array that contains the sensitive data. For a JSON Lines file, it also specifies the index of the line that contains the data.
(dict) --
Specifies the location of an occurrence of sensitive data in an Apache Avro object container, Apache Parquet file, JSON file, or JSON Lines file.
jsonPath (string) --
The path, as a JSONPath expression, to the sensitive data. For an Avro object container or Parquet file, this is the path to the field in the record (recordIndex) that contains the data. For a JSON or JSON Lines file, this is the path to the field or array that contains the data. If the data is a value in an array, the path also indicates which value contains the data.
If Amazon Macie detects sensitive data in the name of any element in the path, Macie omits this field. If the name of an element exceeds 20 characters, Macie truncates the name by removing characters from the beginning of the name. If the resulting full path exceeds 250 characters, Macie also truncates the path, starting with the first element in the path, until the path contains 250 or fewer characters.
recordIndex (integer) --
For an Avro object container or Parquet file, the record index, starting from 0, for the record that contains the sensitive data. For a JSON Lines file, the line index, starting from 0, for the line that contains the sensitive data. This value is always 0 for JSON files.
totalCount (integer) --
The total number of occurrences of the data that was detected by the custom data identifiers and produced the finding.
mimeType (string) --
The type of content, as a MIME type, that the finding applies to. For example, application/gzip, for a GNU Gzip compressed archive file, or application/pdf, for an Adobe Portable Document Format file.
sensitiveData (list) --
The category, types, and number of occurrences of the sensitive data that produced the finding.
(dict) --
Provides information about the category, types, and occurrences of sensitive data that produced a sensitive data finding.
category (string) --
The category of sensitive data that was detected. For example: CREDENTIALS, for credentials data such as private keys or Amazon Web Services secret access keys; FINANCIAL_INFORMATION, for financial data such as credit card numbers; or, PERSONAL_INFORMATION, for personal health information, such as health insurance identification numbers, or personally identifiable information, such as passport numbers.
detections (list) --
An array of objects, one for each type of sensitive data that was detected. Each object reports the number of occurrences of a specific type of sensitive data that was detected, and the location of up to 15 of those occurrences.
(dict) --
Provides information about a type of sensitive data that was detected by a managed data identifier and produced a sensitive data finding.
count (integer) --
The total number of occurrences of the type of sensitive data that was detected.
occurrences (dict) --
The location of 1-15 occurrences of the sensitive data that was detected. A finding includes location data for a maximum of 15 occurrences of sensitive data.
cells (list) --
An array of objects, one for each occurrence of sensitive data in a Microsoft Excel workbook, CSV file, or TSV file. This value is null for all other types of files.
Each Cell object specifies a cell or field that contains the sensitive data.
(dict) --
Specifies the location of an occurrence of sensitive data in a Microsoft Excel workbook, CSV file, or TSV file.
cellReference (string) --
The location of the cell, as an absolute cell reference, that contains the sensitive data, for example Sheet2!C5 for cell C5 on Sheet2 in a Microsoft Excel workbook. This value is null for CSV and TSV files.
column (integer) --
The column number of the column that contains the sensitive data. For a Microsoft Excel workbook, this value correlates to the alphabetical character(s) for a column identifier, for example: 1 for column A, 2 for column B, and so on.
columnName (string) --
The name of the column that contains the sensitive data, if available.
row (integer) --
The row number of the row that contains the sensitive data.
lineRanges (list) --
An array of objects, one for each occurrence of sensitive data in an email message or a non-binary text file such as an HTML, TXT, or XML file. Each Range object specifies a line or inclusive range of lines that contains the sensitive data, and the position of the data on the specified line or lines.
This value is often null for file types that are supported by Cell, Page, or Record objects. Exceptions are the location of sensitive data in: unstructured sections of an otherwise structured file, such as a comment in a file; a malformed file that Amazon Macie analyzes as plain text; and, a CSV or TSV file that has any column names that contain sensitive data.
(dict) --
Specifies the location of an occurrence of sensitive data in an email message or a non-binary text file such as an HTML, TXT, or XML file.
end (integer) --
The number of lines from the beginning of the file to the end of the sensitive data.
start (integer) --
The number of lines from the beginning of the file to the beginning of the sensitive data.
startColumn (integer) --
The number of characters, with spaces and starting from 1, from the beginning of the first line that contains the sensitive data (start) to the beginning of the sensitive data.
offsetRanges (list) --
Reserved for future use.
(dict) --
Specifies the location of an occurrence of sensitive data in an email message or a non-binary text file such as an HTML, TXT, or XML file.
end (integer) --
The number of lines from the beginning of the file to the end of the sensitive data.
start (integer) --
The number of lines from the beginning of the file to the beginning of the sensitive data.
startColumn (integer) --
The number of characters, with spaces and starting from 1, from the beginning of the first line that contains the sensitive data (start) to the beginning of the sensitive data.
pages (list) --
An array of objects, one for each occurrence of sensitive data in an Adobe Portable Document Format file. This value is null for all other types of files.
Each Page object specifies a page that contains the sensitive data.
(dict) --
Specifies the location of an occurrence of sensitive data in an Adobe Portable Document Format file.
lineRange (dict) --
Reserved for future use.
end (integer) --
The number of lines from the beginning of the file to the end of the sensitive data.
start (integer) --
The number of lines from the beginning of the file to the beginning of the sensitive data.
startColumn (integer) --
The number of characters, with spaces and starting from 1, from the beginning of the first line that contains the sensitive data (start) to the beginning of the sensitive data.
offsetRange (dict) --
Reserved for future use.
end (integer) --
The number of lines from the beginning of the file to the end of the sensitive data.
start (integer) --
The number of lines from the beginning of the file to the beginning of the sensitive data.
startColumn (integer) --
The number of characters, with spaces and starting from 1, from the beginning of the first line that contains the sensitive data (start) to the beginning of the sensitive data.
pageNumber (integer) --
The page number of the page that contains the sensitive data.
records (list) --
An array of objects, one for each occurrence of sensitive data in an Apache Avro object container, Apache Parquet file, JSON file, or JSON Lines file. This value is null for all other types of files.
For an Avro object container or Parquet file, each Record object specifies a record index and the path to a field in a record that contains the sensitive data. For a JSON or JSON Lines file, each Record object specifies the path to a field or array that contains the sensitive data. For a JSON Lines file, it also specifies the index of the line that contains the data.
(dict) --
Specifies the location of an occurrence of sensitive data in an Apache Avro object container, Apache Parquet file, JSON file, or JSON Lines file.
jsonPath (string) --
The path, as a JSONPath expression, to the sensitive data. For an Avro object container or Parquet file, this is the path to the field in the record (recordIndex) that contains the data. For a JSON or JSON Lines file, this is the path to the field or array that contains the data. If the data is a value in an array, the path also indicates which value contains the data.
If Amazon Macie detects sensitive data in the name of any element in the path, Macie omits this field. If the name of an element exceeds 20 characters, Macie truncates the name by removing characters from the beginning of the name. If the resulting full path exceeds 250 characters, Macie also truncates the path, starting with the first element in the path, until the path contains 250 or fewer characters.
recordIndex (integer) --
For an Avro object container or Parquet file, the record index, starting from 0, for the record that contains the sensitive data. For a JSON Lines file, the line index, starting from 0, for the line that contains the sensitive data. This value is always 0 for JSON files.
type (string) --
The type of sensitive data that was detected. For example, AWS_CREDENTIALS, PHONE_NUMBER, or ADDRESS.
totalCount (integer) --
The total number of occurrences of the sensitive data that was detected.
sizeClassified (integer) --
The total size, in bytes, of the data that the finding applies to.
status (dict) --
The status of the finding.
code (string) --
The status of the finding. Possible values are:
reason (string) --
A brief description of the status of the finding. This value is null if the status (code) of the finding is COMPLETE.
Amazon Macie uses this value to notify you of any errors, warnings, or considerations that might impact your analysis of the finding and the affected S3 object. Possible values are:
For information about quotas, supported storage classes, and supported file and storage formats, see Quotas and Supported storage classes and formats in the Amazon Macie User Guide .
count (integer) --
The total number of occurrences of the finding. For sensitive data findings, this value is always 1. All sensitive data findings are considered unique.
createdAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie created the finding.
description (string) --
The description of the finding.
id (string) --
The unique identifier for the finding. This is a random string that Amazon Macie generates and assigns to a finding when it creates the finding.
partition (string) --
The Amazon Web Services partition that Amazon Macie created the finding in.
policyDetails (dict) --
The details of a policy finding. This value is null for a sensitive data finding.
action (dict) --
The action that produced the finding.
actionType (string) --
The type of action that occurred for the affected resource. This value is typically AWS_API_CALL, which indicates that an entity invoked an API operation for the resource.
apiCallDetails (dict) --
The invocation details of the API operation that an entity invoked for the affected resource, if the value for the actionType property is AWS_API_CALL.
api (string) --
The name of the operation that was invoked most recently and produced the finding.
apiServiceName (string) --
The URL of the Amazon Web Service that provides the operation, for example: s3.amazonaws.com.
firstSeen (datetime) --
The first date and time, in UTC and extended ISO 8601 format, when any operation was invoked and produced the finding.
lastSeen (datetime) --
The most recent date and time, in UTC and extended ISO 8601 format, when the specified operation (api) was invoked and produced the finding.
actor (dict) --
The entity that performed the action that produced the finding.
domainDetails (dict) --
The domain name of the device that the entity used to perform the action on the affected resource.
domainName (string) --
The name of the domain.
ipAddressDetails (dict) --
The IP address of the device that the entity used to perform the action on the affected resource. This object also provides information such as the owner and geographic location for the IP address.
ipAddressV4 (string) --
The Internet Protocol version 4 (IPv4) address of the device.
ipCity (dict) --
The city that the IP address originated from.
name (string) --
The name of the city.
ipCountry (dict) --
The country that the IP address originated from.
code (string) --
The two-character code, in ISO 3166-1 alpha-2 format, for the country that the IP address originated from. For example, US for the United States.
name (string) --
The name of the country that the IP address originated from.
ipGeoLocation (dict) --
The geographic coordinates of the location that the IP address originated from.
lat (float) --
The latitude coordinate of the location, rounded to four decimal places.
lon (float) --
The longitude coordinate of the location, rounded to four decimal places.
ipOwner (dict) --
The registered owner of the IP address.
asn (string) --
The autonomous system number (ASN) for the autonomous system that included the IP address.
asnOrg (string) --
The organization identifier that's associated with the autonomous system number (ASN) for the autonomous system that included the IP address.
isp (string) --
The name of the internet service provider (ISP) that owned the IP address.
org (string) --
The name of the organization that owned the IP address.
userIdentity (dict) --
The type and other characteristics of the entity that performed the action on the affected resource.
assumedRole (dict) --
If the action was performed with temporary security credentials that were obtained using the AssumeRole operation of the Security Token Service (STS) API, the identifiers, session context, and other details about the identity.
accessKeyId (string) --
The Amazon Web Services access key ID that identifies the credentials.
accountId (string) --
The unique identifier for the Amazon Web Services account that owns the entity that was used to get the credentials.
arn (string) --
The Amazon Resource Name (ARN) of the entity that was used to get the credentials.
principalId (string) --
The unique identifier for the entity that was used to get the credentials.
sessionContext (dict) --
The details of the session that was created for the credentials, including the entity that issued the session.
attributes (dict) --
The date and time when the credentials were issued, and whether the credentials were authenticated with a multi-factor authentication (MFA) device.
creationDate (datetime) --
The date and time, in UTC and ISO 8601 format, when the credentials were issued.
mfaAuthenticated (boolean) --
Specifies whether the credentials were authenticated with a multi-factor authentication (MFA) device.
sessionIssuer (dict) --
The source and type of credentials that were issued to the entity.
accountId (string) --
The unique identifier for the Amazon Web Services account that owns the entity that was used to get the credentials.
arn (string) --
The Amazon Resource Name (ARN) of the source account, Identity and Access Management (IAM) user, or role that was used to get the credentials.
principalId (string) --
The unique identifier for the entity that was used to get the credentials.
type (string) --
The source of the temporary security credentials, such as Root, IAMUser, or Role.
userName (string) --
The name or alias of the user or role that issued the session. This value is null if the credentials were obtained from a root account that doesn't have an alias.
awsAccount (dict) --
If the action was performed using the credentials for another Amazon Web Services account, the details of that account.
accountId (string) --
The unique identifier for the Amazon Web Services account.
principalId (string) --
The unique identifier for the entity that performed the action.
awsService (dict) --
If the action was performed by an Amazon Web Services account that belongs to an Amazon Web Service, the name of the service.
invokedBy (string) --
The name of the Amazon Web Service that performed the action.
federatedUser (dict) --
If the action was performed with temporary security credentials that were obtained using the GetFederationToken operation of the Security Token Service (STS) API, the identifiers, session context, and other details about the identity.
accessKeyId (string) --
The Amazon Web Services access key ID that identifies the credentials.
accountId (string) --
The unique identifier for the Amazon Web Services account that owns the entity that was used to get the credentials.
arn (string) --
The Amazon Resource Name (ARN) of the entity that was used to get the credentials.
principalId (string) --
The unique identifier for the entity that was used to get the credentials.
sessionContext (dict) --
The details of the session that was created for the credentials, including the entity that issued the session.
attributes (dict) --
The date and time when the credentials were issued, and whether the credentials were authenticated with a multi-factor authentication (MFA) device.
creationDate (datetime) --
The date and time, in UTC and ISO 8601 format, when the credentials were issued.
mfaAuthenticated (boolean) --
Specifies whether the credentials were authenticated with a multi-factor authentication (MFA) device.
sessionIssuer (dict) --
The source and type of credentials that were issued to the entity.
accountId (string) --
The unique identifier for the Amazon Web Services account that owns the entity that was used to get the credentials.
arn (string) --
The Amazon Resource Name (ARN) of the source account, Identity and Access Management (IAM) user, or role that was used to get the credentials.
principalId (string) --
The unique identifier for the entity that was used to get the credentials.
type (string) --
The source of the temporary security credentials, such as Root, IAMUser, or Role.
userName (string) --
The name or alias of the user or role that issued the session. This value is null if the credentials were obtained from a root account that doesn't have an alias.
iamUser (dict) --
If the action was performed using the credentials for an Identity and Access Management (IAM) user, the name and other details about the user.
accountId (string) --
The unique identifier for the Amazon Web Services account that's associated with the IAM user who performed the action.
arn (string) --
The Amazon Resource Name (ARN) of the principal that performed the action. The last section of the ARN contains the name of the user who performed the action.
principalId (string) --
The unique identifier for the IAM user who performed the action.
userName (string) --
The user name of the IAM user who performed the action.
root (dict) --
If the action was performed using the credentials for your Amazon Web Services account, the details of your account.
accountId (string) --
The unique identifier for the Amazon Web Services account.
arn (string) --
The Amazon Resource Name (ARN) of the principal that performed the action. The last section of the ARN contains the name of the user or role that performed the action.
principalId (string) --
The unique identifier for the entity that performed the action.
type (string) --
The type of entity that performed the action.
region (string) --
The Amazon Web Services Region that Amazon Macie created the finding in.
resourcesAffected (dict) --
The resources that the finding applies to.
s3Bucket (dict) --
The details of the S3 bucket that the finding applies to.
allowsUnencryptedObjectUploads (string) --
Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are uploaded to the bucket. Possible values are:
Valid server-side encryption headers are: x-amz-server-side-encryption with a value of AES256 or aws:kms, and x-amz-server-side-encryption-customer-algorithm with a value of AES256.
arn (string) --
The Amazon Resource Name (ARN) of the bucket.
createdAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the bucket was created. This value can also indicate when changes such as edits to the bucket's policy were most recently made to the bucket, relative to when the finding was created or last updated.
defaultServerSideEncryption (dict) --
The type of server-side encryption that's used by default to encrypt objects in the bucket.
encryptionType (string) --
The server-side encryption algorithm that's used when storing data in the bucket or object. If default encryption is disabled for the bucket or the object isn't encrypted using server-side encryption, this value is NONE.
kmsMasterKeyId (string) --
The Amazon Resource Name (ARN) or unique identifier (key ID) for the KMS key that's used to encrypt data in the bucket or the object. This value is null if an KMS key isn't used to encrypt the data.
name (string) --
The name of the bucket.
owner (dict) --
The display name and canonical user ID for the Amazon Web Services account that owns the bucket.
displayName (string) --
The display name of the account that owns the bucket.
id (string) --
The canonical user ID for the account that owns the bucket.
publicAccess (dict) --
The permissions settings that determine whether the bucket is publicly accessible.
effectivePermission (string) --
Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket. Possible values are:
permissionConfiguration (dict) --
The account-level and bucket-level permissions settings for the bucket.
accountLevelPermissions (dict) --
The account-level permissions settings that apply to the bucket.
blockPublicAccess (dict) --
The block public access settings for the Amazon Web Services account that owns the bucket.
blockPublicAcls (boolean) --
Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.
blockPublicPolicy (boolean) --
Specifies whether Amazon S3 blocks public bucket policies for the bucket.
ignorePublicAcls (boolean) --
Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.
restrictPublicBuckets (boolean) --
Specifies whether Amazon S3 restricts public bucket policies for the bucket.
bucketLevelPermissions (dict) --
The bucket-level permissions settings for the bucket.
accessControlList (dict) --
The permissions settings of the access control list (ACL) for the bucket. This value is null if an ACL hasn't been defined for the bucket.
allowsPublicReadAccess (boolean) --
Specifies whether the ACL grants the general public with read access permissions for the bucket.
allowsPublicWriteAccess (boolean) --
Specifies whether the ACL grants the general public with write access permissions for the bucket.
blockPublicAccess (dict) --
The block public access settings for the bucket.
blockPublicAcls (boolean) --
Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.
blockPublicPolicy (boolean) --
Specifies whether Amazon S3 blocks public bucket policies for the bucket.
ignorePublicAcls (boolean) --
Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.
restrictPublicBuckets (boolean) --
Specifies whether Amazon S3 restricts public bucket policies for the bucket.
bucketPolicy (dict) --
The permissions settings of the bucket policy for the bucket. This value is null if a bucket policy hasn't been defined for the bucket.
allowsPublicReadAccess (boolean) --
Specifies whether the bucket policy allows the general public to have read access to the bucket.
allowsPublicWriteAccess (boolean) --
Specifies whether the bucket policy allows the general public to have write access to the bucket.
tags (list) --
The tags that are associated with the bucket.
(dict) --
Provides information about the tags that are associated with an S3 bucket or object. Each tag consists of a required tag key and an associated tag value.
key (string) --
One part of a key-value pair that comprises a tag. A tag key is a general label that acts as a category for more specific tag values.
value (string) --
One part of a key-value pair that comprises a tag. A tag value acts as a descriptor for a tag key. A tag value can be an empty string.
s3Object (dict) --
The details of the S3 object that the finding applies to.
bucketArn (string) --
The Amazon Resource Name (ARN) of the bucket that contains the object.
eTag (string) --
The entity tag (ETag) that identifies the affected version of the object. If the object was overwritten or changed after Amazon Macie produced the finding, this value might be different from the current ETag for the object.
extension (string) --
The file name extension of the object. If the object doesn't have a file name extension, this value is "".
key (string) --
The full key (name) that's assigned to the object.
lastModified (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the object was last modified.
path (string) --
The path to the object, including the full key (name).
publicAccess (boolean) --
Specifies whether the object is publicly accessible due to the combination of permissions settings that apply to the object.
serverSideEncryption (dict) --
The type of server-side encryption that's used to encrypt the object.
encryptionType (string) --
The server-side encryption algorithm that's used when storing data in the bucket or object. If default encryption is disabled for the bucket or the object isn't encrypted using server-side encryption, this value is NONE.
kmsMasterKeyId (string) --
The Amazon Resource Name (ARN) or unique identifier (key ID) for the KMS key that's used to encrypt data in the bucket or the object. This value is null if an KMS key isn't used to encrypt the data.
size (integer) --
The total storage size, in bytes, of the object.
storageClass (string) --
The storage class of the object.
tags (list) --
The tags that are associated with the object.
(dict) --
Provides information about the tags that are associated with an S3 bucket or object. Each tag consists of a required tag key and an associated tag value.
key (string) --
One part of a key-value pair that comprises a tag. A tag key is a general label that acts as a category for more specific tag values.
value (string) --
One part of a key-value pair that comprises a tag. A tag value acts as a descriptor for a tag key. A tag value can be an empty string.
versionId (string) --
The identifier for the affected version of the object.
sample (boolean) --
Specifies whether the finding is a sample finding. A sample finding is a finding that uses example data to demonstrate what a finding might contain.
schemaVersion (string) --
The version of the schema that was used to define the data structures in the finding.
severity (dict) --
The severity level and score for the finding.
description (string) --
The qualitative representation of the finding's severity, ranging from Low (least severe) to High (most severe).
score (integer) --
The numerical representation of the finding's severity, ranging from 1 (least severe) to 3 (most severe).
title (string) --
The brief description of the finding.
type (string) --
The type of the finding.
updatedAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie last updated the finding. For sensitive data findings, this value is the same as the value for the createdAt property. All sensitive data findings are considered new.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_findings_filter(**kwargs)¶Retrieves the criteria and other settings for a findings filter.
See also: AWS API Documentation
Request Syntax
response = client.get_findings_filter(
id='string'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
{
'action': 'ARCHIVE'|'NOOP',
'arn': 'string',
'description': 'string',
'findingCriteria': {
'criterion': {
'string': {
'eq': [
'string',
],
'eqExactMatch': [
'string',
],
'gt': 123,
'gte': 123,
'lt': 123,
'lte': 123,
'neq': [
'string',
]
}
}
},
'id': 'string',
'name': 'string',
'position': 123,
'tags': {
'string': 'string'
}
}
Response Structure
The request succeeded.
The action that's performed on findings that match the filter criteria (findingCriteria). Possible values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.
The Amazon Resource Name (ARN) of the filter.
The custom description of the filter.
The criteria that's used to filter findings.
A condition that specifies the property, operator, and one or more values to use to filter the results.
Specifies the operator to use in a property-based condition that filters the results of a query for findings. For detailed information and examples of each operator, see Fundamentals of filtering findings in the Amazon Macie User Guide .
The value for the property matches (equals) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
The value for the property exclusively matches (equals an exact match for) all the specified values. If you specify multiple values, Amazon Macie uses AND logic to join the values.
You can use this operator with the following properties: customDataIdentifiers.detections.arn, customDataIdentifiers.detections.name, resourcesAffected.s3Bucket.tags.key, resourcesAffected.s3Bucket.tags.value, resourcesAffected.s3Object.tags.key, resourcesAffected.s3Object.tags.value, sensitiveData.category, and sensitiveData.detections.type.
The value for the property is greater than the specified value.
The value for the property is greater than or equal to the specified value.
The value for the property is less than the specified value.
The value for the property is less than or equal to the specified value.
The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
The unique identifier for the filter.
The custom name of the filter.
The position of the filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to the findings.
A map of key-value pairs that specifies which tags (keys and values) are associated with the filter.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_findings_publication_configuration()¶Retrieves the configuration settings for publishing findings to Security Hub.
See also: AWS API Documentation
Request Syntax
response = client.get_findings_publication_configuration()
{
'securityHubConfiguration': {
'publishClassificationFindings': True|False,
'publishPolicyFindings': True|False
}
}
Response Structure
The request succeeded.
The configuration settings that determine which findings are published to Security Hub.
Specifies whether to publish sensitive data findings to Security Hub. If you set this value to true, Amazon Macie automatically publishes all sensitive data findings that weren't suppressed by a findings filter. The default value is false.
Specifies whether to publish policy findings to Security Hub. If you set this value to true, Amazon Macie automatically publishes all new and updated policy findings that weren't suppressed by a findings filter. The default value is true.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_invitations_count()¶Retrieves the count of Amazon Macie membership invitations that were received by an account.
See also: AWS API Documentation
Request Syntax
response = client.get_invitations_count()
{
'invitationsCount': 123
}
Response Structure
The request succeeded.
The total number of invitations that were received by the account, not including the currently accepted invitation.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_macie_session()¶Retrieves the status and configuration settings for an Amazon Macie account.
See also: AWS API Documentation
Request Syntax
response = client.get_macie_session()
{
'createdAt': datetime(2015, 1, 1),
'findingPublishingFrequency': 'FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
'serviceRole': 'string',
'status': 'PAUSED'|'ENABLED',
'updatedAt': datetime(2015, 1, 1)
}
Response Structure
The request succeeded.
The date and time, in UTC and extended ISO 8601 format, when the Amazon Macie account was created.
The frequency with which Amazon Macie publishes updates to policy findings for the account. This includes publishing updates to Security Hub and Amazon EventBridge (formerly Amazon CloudWatch Events).
The Amazon Resource Name (ARN) of the service-linked role that allows Amazon Macie to monitor and analyze data in Amazon Web Services resources for the account.
The current status of the Amazon Macie account. Possible values are: PAUSED, the account is enabled but all Macie activities are suspended (paused) for the account; and, ENABLED, the account is enabled and all Macie activities are enabled for the account.
The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the Amazon Macie account.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_master_account()¶(Deprecated) Retrieves information about the Amazon Macie administrator account for an account. This operation has been replaced by the GetAdministratorAccountoperation.
See also: AWS API Documentation
Request Syntax
response = client.get_master_account()
{
'master': {
'accountId': 'string',
'invitationId': 'string',
'invitedAt': datetime(2015, 1, 1),
'relationshipStatus': 'Enabled'|'Paused'|'Invited'|'Created'|'Removed'|'Resigned'|'EmailVerificationInProgress'|'EmailVerificationFailed'|'RegionDisabled'|'AccountSuspended'
}
}
Response Structure
The request succeeded.
(Deprecated) The Amazon Web Services account ID for the administrator account. If the accounts are associated by a Macie membership invitation, this object also provides details about the invitation that was sent to establish the relationship between the accounts.
The Amazon Web Services account ID for the account that sent the invitation.
The unique identifier for the invitation.
The date and time, in UTC and extended ISO 8601 format, when the invitation was sent.
The status of the relationship between the account that sent the invitation and the account that received the invitation.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_member(**kwargs)¶Retrieves information about an account that's associated with an Amazon Macie administrator account.
See also: AWS API Documentation
Request Syntax
response = client.get_member(
id='string'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
{
'accountId': 'string',
'administratorAccountId': 'string',
'arn': 'string',
'email': 'string',
'invitedAt': datetime(2015, 1, 1),
'masterAccountId': 'string',
'relationshipStatus': 'Enabled'|'Paused'|'Invited'|'Created'|'Removed'|'Resigned'|'EmailVerificationInProgress'|'EmailVerificationFailed'|'RegionDisabled'|'AccountSuspended',
'tags': {
'string': 'string'
},
'updatedAt': datetime(2015, 1, 1)
}
Response Structure
The request succeeded.
The Amazon Web Services account ID for the account.
The Amazon Web Services account ID for the administrator account.
The Amazon Resource Name (ARN) of the account.
The email address for the account. This value is null if the account is associated with the administrator account through Organizations.
The date and time, in UTC and extended ISO 8601 format, when an Amazon Macie membership invitation was last sent to the account. This value is null if a Macie membership invitation hasn't been sent to the account.
(Deprecated) The Amazon Web Services account ID for the administrator account. This property has been replaced by the administratorAccountId property and is retained only for backward compatibility.
The current status of the relationship between the account and the administrator account.
A map of key-value pairs that specifies which tags (keys and values) are associated with the account in Amazon Macie.
The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the relationship between the account and the administrator account.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_paginator(operation_name)¶Create a paginator for an operation.
create_foo, and you'd normally invoke the
operation as client.create_foo(**kwargs), if the
create_foo operation can be paginated, you can use the
call client.get_paginator("create_foo").client.can_paginate method to
check if an operation is pageable.get_resource_profile(**kwargs)¶Retrieves (queries) sensitive data discovery statistics and the sensitivity score for an S3 bucket.
See also: AWS API Documentation
Request Syntax
response = client.get_resource_profile(
resourceArn='string'
)
[REQUIRED]
The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.
{
'profileUpdatedAt': datetime(2015, 1, 1),
'sensitivityScore': 123,
'sensitivityScoreOverridden': True|False,
'statistics': {
'totalBytesClassified': 123,
'totalDetections': 123,
'totalDetectionsSuppressed': 123,
'totalItemsClassified': 123,
'totalItemsSensitive': 123,
'totalItemsSkipped': 123,
'totalItemsSkippedInvalidEncryption': 123,
'totalItemsSkippedInvalidKms': 123,
'totalItemsSkippedPermissionDenied': 123
}
}
Response Structure
The request succeeded.
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently recalculated sensitive data discovery statistics and details for the bucket. If the bucket's sensitivity score is calculated automatically, this includes the score.
The current sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive). By default, this score is calculated automatically based on the amount of data that Amazon Macie has analyzed in the bucket and the amount of sensitive data that Macie has found in the bucket.
Specifies whether the bucket's current sensitivity score was set manually. If this value is true, the score was manually changed to 100. If this value is false, the score was calculated automatically by Amazon Macie.
The sensitive data discovery statistics for the bucket. The statistics capture the results of automated sensitive data discovery activities that Amazon Macie has performed for the bucket.
The total amount of data, in bytes, that Amazon Macie has analyzed in the bucket.
The total number of occurrences of sensitive data that Amazon Macie has found in the bucket's objects. This includes occurrences that are currently suppressed by the sensitivity scoring settings for the bucket (totalDetectionsSuppressed).
The total number of occurrences of sensitive data that are currently suppressed by the sensitivity scoring settings for the bucket. These represent occurrences of sensitive data that Amazon Macie found in the bucket's objects, but the occurrences were manually suppressed. By default, suppressed occurrences are excluded from the bucket's sensitivity score.
The total number of objects that Amazon Macie has analyzed in the bucket.
The total number of the bucket's objects that Amazon Macie has found sensitive data in.
The total number of objects that Amazon Macie hasn't analyzed in the bucket due to an error or issue. For example, the object is a malformed file. This value includes objects that Macie hasn't analyzed for reasons reported by other statistics in the ResourceStatistics object.
The total number of objects that Amazon Macie hasn't analyzed in the bucket because the objects are encrypted with a key that Macie isn't allowed to use.
The total number of objects that Amazon Macie hasn't analyzed in the bucket because the objects are encrypted with an KMS key that was disabled or deleted.
The total number of objects that Amazon Macie hasn't analyzed in the bucket because Macie isn't allowed to access the objects.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionget_reveal_configuration()¶Retrieves the status and configuration settings for retrieving occurrences of sensitive data reported by findings.
See also: AWS API Documentation
Request Syntax
response = client.get_reveal_configuration()
{
'configuration': {
'kmsKeyId': 'string',
'status': 'ENABLED'|'DISABLED'
}
}
Response Structure
The request succeeded.
The current configuration settings and the status of the configuration for the account.
The Amazon Resource Name (ARN), ID, or alias of the KMS key to use to encrypt sensitive data that's retrieved. The key must be an existing, customer managed, symmetric encryption key that's in the same Amazon Web Services Region as the Amazon Macie account.
If this value specifies an alias, it must include the following prefix: alias/. If this value specifies a key that's owned by another Amazon Web Services account, it must specify the ARN of the key or the ARN of the key's alias.
The status of the configuration for the Amazon Macie account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account.
Exceptions
Macie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionget_sensitive_data_occurrences(**kwargs)¶Retrieves occurrences of sensitive data reported by a finding.
See also: AWS API Documentation
Request Syntax
response = client.get_sensitive_data_occurrences(
findingId='string'
)
[REQUIRED]
The unique identifier for the finding.
{
'error': 'string',
'sensitiveDataOccurrences': {
'string': [
{
'value': 'string'
},
]
},
'status': 'SUCCESS'|'PROCESSING'|'ERROR'
}
Response Structure
The request succeeded.
If an error occurred when Amazon Macie attempted to retrieve occurrences of sensitive data reported by the finding, a description of the error that occurred. This value is null if the status (status) of the request is PROCESSING or SUCCESS.
A map that specifies 1-100 types of sensitive data reported by the finding and, for each type, 1-10 occurrences of sensitive data.
Specifies 1-10 occurrences of a specific type of sensitive data reported by a finding.
An occurrence of the specified type of sensitive data. Each occurrence can contain 1-128 characters.
The status of the request to retrieve occurrences of sensitive data reported by the finding. Possible values are:
Exceptions
Macie2.Client.exceptions.UnprocessableEntityExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionget_sensitive_data_occurrences_availability(**kwargs)¶Checks whether occurrences of sensitive data can be retrieved for a finding.
See also: AWS API Documentation
Request Syntax
response = client.get_sensitive_data_occurrences_availability(
findingId='string'
)
[REQUIRED]
The unique identifier for the finding.
{
'code': 'AVAILABLE'|'UNAVAILABLE',
'reasons': [
'OBJECT_EXCEEDS_SIZE_QUOTA'|'UNSUPPORTED_OBJECT_TYPE'|'UNSUPPORTED_FINDING_TYPE'|'INVALID_CLASSIFICATION_RESULT'|'OBJECT_UNAVAILABLE',
]
}
Response Structure
The request succeeded.
Specifies whether occurrences of sensitive data can be retrieved for the finding. Possible values are: AVAILABLE, the sensitive data can be retrieved; and, UNAVAILABLE, the sensitive data can't be retrieved. If this value is UNAVAILABLE, the reasons array indicates why the data can't be retrieved.
Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:
This value is null if sensitive data can be retrieved for the finding.
Specifies why occurrences of sensitive data can't be retrieved for a finding. Possible values are:
Exceptions
Macie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionget_sensitivity_inspection_template(**kwargs)¶Retrieves the settings for the sensitivity inspection template for an account.
See also: AWS API Documentation
Request Syntax
response = client.get_sensitivity_inspection_template(
id='string'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
{
'description': 'string',
'excludes': {
'managedDataIdentifierIds': [
'string',
]
},
'includes': {
'allowListIds': [
'string',
],
'customDataIdentifierIds': [
'string',
],
'managedDataIdentifierIds': [
'string',
]
},
'name': 'string',
'sensitivityInspectionTemplateId': 'string'
}
Response Structure
The request succeeded.
The custom description of the template.
The managed data identifiers that are explicitly excluded (not used) when analyzing data.
An array of unique identifiers, one for each managed data identifier to exclude. To retrieve a list of valid values, use the ListManagedDataIdentifiers operation.
The allow lists, custom data identifiers, and managed data identifiers that are included (used) when analyzing data.
An array of unique identifiers, one for each allow list to include.
An array of unique identifiers, one for each custom data identifier to include.
An array of unique identifiers, one for each managed data identifier to include.
Amazon Macie uses these managed data identifiers in addition to managed data identifiers that are subsequently released and recommended for automated sensitive data discovery. To retrieve a list of valid values for the managed data identifiers that are currently available, use the ListManagedDataIdentifiers operation.
The name of the template: automated-sensitive-data-discovery.
The unique identifier for the template.
Exceptions
Macie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionget_usage_statistics(**kwargs)¶Retrieves (queries) quotas and aggregated usage data for one or more accounts.
See also: AWS API Documentation
Request Syntax
response = client.get_usage_statistics(
filterBy=[
{
'comparator': 'GT'|'GTE'|'LT'|'LTE'|'EQ'|'NE'|'CONTAINS',
'key': 'accountId'|'serviceLimit'|'freeTrialStartDate'|'total',
'values': [
'string',
]
},
],
maxResults=123,
nextToken='string',
sortBy={
'key': 'accountId'|'total'|'serviceLimitValue'|'freeTrialStartDate',
'orderBy': 'ASC'|'DESC'
},
timeRange='MONTH_TO_DATE'|'PAST_30_DAYS'
)
An array of objects, one for each condition to use to filter the query results. If you specify more than one condition, Amazon Macie uses an AND operator to join the conditions.
Specifies a condition for filtering the results of a query for quota and usage data for one or more Amazon Macie accounts.
The operator to use in the condition. If the value for the key property is accountId, this value must be CONTAINS. If the value for the key property is any other supported field, this value can be EQ, GT, GTE, LT, LTE, or NE.
The field to use in the condition.
An array that lists values to use in the condition, based on the value for the field specified by the key property. If the value for the key property is accountId, this array can specify multiple values. Otherwise, this array can specify only one value.
Valid values for each supported field are:
The criteria to use to sort the query results.
The field to sort the results by.
The sort order to apply to the results, based on the value for the field specified by the key property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
dict
Response Syntax
{
'nextToken': 'string',
'records': [
{
'accountId': 'string',
'automatedDiscoveryFreeTrialStartDate': datetime(2015, 1, 1),
'freeTrialStartDate': datetime(2015, 1, 1),
'usage': [
{
'currency': 'USD',
'estimatedCost': 'string',
'serviceLimit': {
'isServiceLimited': True|False,
'unit': 'TERABYTES',
'value': 123
},
'type': 'DATA_INVENTORY_EVALUATION'|'SENSITIVE_DATA_DISCOVERY'|'AUTOMATED_SENSITIVE_DATA_DISCOVERY'|'AUTOMATED_OBJECT_MONITORING'
},
]
},
],
'timeRange': 'MONTH_TO_DATE'|'PAST_30_DAYS'
}
Response Structure
(dict) --
The request succeeded.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
records (list) --
An array of objects that contains the results of the query. Each object contains the data for an account that matches the filter criteria specified in the request.
(dict) --
Provides quota and aggregated usage data for an Amazon Macie account.
accountId (string) --
The unique identifier for the Amazon Web Services account that the data applies to.
automatedDiscoveryFreeTrialStartDate (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the free trial of automated sensitive data discovery started for the account. If the account is a member account in an organization, this value is the same as the value for the organization's Amazon Macie administrator account.
freeTrialStartDate (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the Amazon Macie free trial started for the account.
usage (list) --
An array of objects that contains usage data and quotas for the account. Each object contains the data for a specific usage metric and the corresponding quota.
(dict) --
Provides data for a specific usage metric and the corresponding quota for an Amazon Macie account.
currency (string) --
The type of currency that the value for the metric (estimatedCost) is reported in.
estimatedCost (string) --
The estimated value for the metric.
serviceLimit (dict) --
The current value for the quota that corresponds to the metric specified by the type field.
isServiceLimited (boolean) --
Specifies whether the account has met the quota that corresponds to the metric specified by the UsageByAccount.type field in the response.
unit (string) --
The unit of measurement for the value specified by the value field.
value (integer) --
The value for the metric specified by the UsageByAccount.type field in the response.
type (string) --
The name of the metric. Possible values are: AUTOMATED_OBJECT_MONITORING, to monitor S3 objects for automated sensitive data discovery; AUTOMATED_SENSITIVE_DATA_DISCOVERY, to analyze S3 objects for automated sensitive data discovery; DATA_INVENTORY_EVALUATION, to monitor S3 buckets; and, SENSITIVE_DATA_DISCOVERY, to run classification jobs.
timeRange (string) --
The inclusive time period that the usage data applies to. Possible values are: MONTH_TO_DATE, for the current calendar month to date; and, PAST_30_DAYS, for the preceding 30 days.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_usage_totals(**kwargs)¶Retrieves (queries) aggregated usage data for an account.
See also: AWS API Documentation
Request Syntax
response = client.get_usage_totals(
timeRange='string'
)
{
'timeRange': 'MONTH_TO_DATE'|'PAST_30_DAYS',
'usageTotals': [
{
'currency': 'USD',
'estimatedCost': 'string',
'type': 'DATA_INVENTORY_EVALUATION'|'SENSITIVE_DATA_DISCOVERY'|'AUTOMATED_SENSITIVE_DATA_DISCOVERY'|'AUTOMATED_OBJECT_MONITORING'
},
]
}
Response Structure
The request succeeded.
The inclusive time period that the usage data applies to. Possible values are: MONTH_TO_DATE, for the current calendar month to date; and, PAST_30_DAYS, for the preceding 30 days.
An array of objects that contains the results of the query. Each object contains the data for a specific usage metric.
Provides aggregated data for an Amazon Macie usage metric. The value for the metric reports estimated usage data for an account for the preceding 30 days or the current calendar month to date, depending on the time period (timeRange) specified in the request.
The type of currency that the value for the metric (estimatedCost) is reported in.
The estimated value for the metric.
The name of the metric. Possible values are: AUTOMATED_OBJECT_MONITORING, to monitor S3 objects for automated sensitive data discovery; AUTOMATED_SENSITIVE_DATA_DISCOVERY, to analyze S3 objects for automated sensitive data discovery; DATA_INVENTORY_EVALUATION, to monitor S3 buckets; and, SENSITIVE_DATA_DISCOVERY, to run classification jobs.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionget_waiter(waiter_name)¶Returns an object that can wait for some condition.
list_allow_lists(**kwargs)¶Retrieves a subset of information about all the allow lists for an account.
See also: AWS API Documentation
Request Syntax
response = client.list_allow_lists(
maxResults=123,
nextToken='string'
)
dict
Response Syntax
{
'allowLists': [
{
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'description': 'string',
'id': 'string',
'name': 'string',
'updatedAt': datetime(2015, 1, 1)
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
allowLists (list) --
An array of objects, one for each allow list.
(dict) --
Provides a subset of information about an allow list.
arn (string) --
The Amazon Resource Name (ARN) of the allow list.
createdAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the allow list was created in Amazon Macie.
description (string) --
The custom description of the allow list.
id (string) --
The unique identifier for the allow list.
name (string) --
The custom name of the allow list.
updatedAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the allow list's settings were most recently changed in Amazon Macie.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionlist_classification_jobs(**kwargs)¶Retrieves a subset of information about one or more classification jobs.
See also: AWS API Documentation
Request Syntax
response = client.list_classification_jobs(
filterCriteria={
'excludes': [
{
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'jobType'|'jobStatus'|'createdAt'|'name',
'values': [
'string',
]
},
],
'includes': [
{
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'jobType'|'jobStatus'|'createdAt'|'name',
'values': [
'string',
]
},
]
},
maxResults=123,
nextToken='string',
sortCriteria={
'attributeName': 'createdAt'|'jobStatus'|'name'|'jobType',
'orderBy': 'ASC'|'DESC'
}
)
The criteria to use to filter the results.
An array of objects, one for each condition that determines which jobs to exclude from the results.
Specifies a condition that filters the results of a request for information about classification jobs. Each condition consists of a property, an operator, and one or more values.
The operator to use to filter the results.
The property to use to filter the results.
An array that lists one or more values to use to filter the results.
An array of objects, one for each condition that determines which jobs to include in the results.
Specifies a condition that filters the results of a request for information about classification jobs. Each condition consists of a property, an operator, and one or more values.
The operator to use to filter the results.
The property to use to filter the results.
An array that lists one or more values to use to filter the results.
The criteria to use to sort the results.
The property to sort the results by.
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
dict
Response Syntax
{
'items': [
{
'bucketCriteria': {
'excludes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
},
'includes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
}
},
'bucketDefinitions': [
{
'accountId': 'string',
'buckets': [
'string',
]
},
],
'createdAt': datetime(2015, 1, 1),
'jobId': 'string',
'jobStatus': 'RUNNING'|'PAUSED'|'CANCELLED'|'COMPLETE'|'IDLE'|'USER_PAUSED',
'jobType': 'ONE_TIME'|'SCHEDULED',
'lastRunErrorStatus': {
'code': 'NONE'|'ERROR'
},
'name': 'string',
'userPausedDetails': {
'jobExpiresAt': datetime(2015, 1, 1),
'jobImminentExpirationHealthEventArn': 'string',
'jobPausedAt': datetime(2015, 1, 1)
}
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
items (list) --
An array of objects, one for each job that matches the filter criteria specified in the request.
(dict) --
Provides information about a classification job, including the current status of the job.
bucketCriteria (dict) --
The property- and tag-based conditions that determine which S3 buckets are included or excluded from the job's analysis. Each time the job runs, the job uses these criteria to determine which buckets to analyze. A job's definition can contain a bucketCriteria object or a bucketDefinitions array, not both.
excludes (dict) --
The property- and tag-based conditions that determine which buckets to exclude from the job.
and (list) --
An array of conditions, one for each condition that determines which buckets to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
(dict) --
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 buckets from a classification job.
simpleCriterion (dict) --
A property-based condition that defines a property, operator, and one or more values for including or excluding buckets from the job.
comparator (string) --
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
key (string) --
The property to use in the condition.
values (list) --
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in these values.
tagCriterion (dict) --
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding buckets from the job.
comparator (string) --
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
tagValues (list) --
The tag keys, tag values, or tag key and value pairs to use in the condition.
(dict) --
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based condition that determines whether an S3 bucket is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
key (string) --
The value for the tag key to use in the condition.
value (string) --
The tag value to use in the condition.
includes (dict) --
The property- and tag-based conditions that determine which buckets to include in the job.
and (list) --
An array of conditions, one for each condition that determines which buckets to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
(dict) --
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 buckets from a classification job.
simpleCriterion (dict) --
A property-based condition that defines a property, operator, and one or more values for including or excluding buckets from the job.
comparator (string) --
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
key (string) --
The property to use in the condition.
values (list) --
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in these values.
tagCriterion (dict) --
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding buckets from the job.
comparator (string) --
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
tagValues (list) --
The tag keys, tag values, or tag key and value pairs to use in the condition.
(dict) --
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based condition that determines whether an S3 bucket is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
key (string) --
The value for the tag key to use in the condition.
value (string) --
The tag value to use in the condition.
bucketDefinitions (list) --
An array of objects, one for each Amazon Web Services account that owns specific S3 buckets for the job to analyze. Each object specifies the account ID for an account and one or more buckets to analyze for that account. A job's definition can contain a bucketDefinitions array or a bucketCriteria object, not both.
(dict) --
Specifies an Amazon Web Services account that owns S3 buckets for a classification job to analyze, and one or more specific buckets to analyze for that account.
accountId (string) --
The unique identifier for the Amazon Web Services account that owns the buckets.
buckets (list) --
An array that lists the names of the buckets.
createdAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the job was created.
jobId (string) --
The unique identifier for the job.
jobStatus (string) --
The current status of the job. Possible values are:
jobType (string) --
The schedule for running the job. Possible values are:
lastRunErrorStatus (dict) --
Specifies whether any account- or bucket-level access errors occurred when the job ran. For a recurring job, this value indicates the error status of the job's most recent run.
code (string) --
Specifies whether any account- or bucket-level access errors occurred when the job ran. For a recurring job, this value indicates the error status of the job's most recent run. Possible values are:
name (string) --
The custom name of the job.
userPausedDetails (dict) --
If the current status of the job is USER_PAUSED, specifies when the job was paused and when the job or job run will expire and be cancelled if it isn't resumed. This value is present only if the value for jobStatus is USER_PAUSED.
jobExpiresAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the job or job run will expire and be cancelled if you don't resume it first.
jobImminentExpirationHealthEventArn (string) --
The Amazon Resource Name (ARN) of the Health event that Amazon Macie sent to notify you of the job or job run's pending expiration and cancellation. This value is null if a job has been paused for less than 23 days.
jobPausedAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when you paused the job.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionlist_classification_scopes(**kwargs)¶Retrieves a subset of information about the classification scope for an account.
See also: AWS API Documentation
Request Syntax
response = client.list_classification_scopes(
name='string',
nextToken='string'
)
dict
Response Syntax
{
'classificationScopes': [
{
'id': 'string',
'name': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
classificationScopes (list) --
An array that specifies the unique identifier and name of the classification scope for the account.
(dict) --
Provides information about the classification scope for an Amazon Macie account. Macie uses the scope's settings when it performs automated sensitive data discovery for the account.
id (string) --
The unique identifier for the classification scope.
name (string) --
The name of the classification scope: automated-sensitive-data-discovery.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionlist_custom_data_identifiers(**kwargs)¶Retrieves a subset of information about all the custom data identifiers for an account.
See also: AWS API Documentation
Request Syntax
response = client.list_custom_data_identifiers(
maxResults=123,
nextToken='string'
)
dict
Response Syntax
{
'items': [
{
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'description': 'string',
'id': 'string',
'name': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
items (list) --
An array of objects, one for each custom data identifier.
(dict) --
Provides information about a custom data identifier.
arn (string) --
The Amazon Resource Name (ARN) of the custom data identifier.
createdAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the custom data identifier was created.
description (string) --
The custom description of the custom data identifier.
id (string) --
The unique identifier for the custom data identifier.
name (string) --
The custom name of the custom data identifier.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionlist_findings(**kwargs)¶Retrieves a subset of information about one or more findings.
See also: AWS API Documentation
Request Syntax
response = client.list_findings(
findingCriteria={
'criterion': {
'string': {
'eq': [
'string',
],
'eqExactMatch': [
'string',
],
'gt': 123,
'gte': 123,
'lt': 123,
'lte': 123,
'neq': [
'string',
]
}
}
},
maxResults=123,
nextToken='string',
sortCriteria={
'attributeName': 'string',
'orderBy': 'ASC'|'DESC'
}
)
The criteria to use to filter the results.
A condition that specifies the property, operator, and one or more values to use to filter the results.
Specifies the operator to use in a property-based condition that filters the results of a query for findings. For detailed information and examples of each operator, see Fundamentals of filtering findings in the Amazon Macie User Guide .
The value for the property matches (equals) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
The value for the property exclusively matches (equals an exact match for) all the specified values. If you specify multiple values, Amazon Macie uses AND logic to join the values.
You can use this operator with the following properties: customDataIdentifiers.detections.arn, customDataIdentifiers.detections.name, resourcesAffected.s3Bucket.tags.key, resourcesAffected.s3Bucket.tags.value, resourcesAffected.s3Object.tags.key, resourcesAffected.s3Object.tags.value, sensitiveData.category, and sensitiveData.detections.type.
The value for the property is greater than the specified value.
The value for the property is greater than or equal to the specified value.
The value for the property is less than the specified value.
The value for the property is less than or equal to the specified value.
The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
The criteria to use to sort the results.
The name of the property to sort the results by. This value can be the name of any property that Amazon Macie defines for a finding.
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
dict
Response Syntax
{
'findingIds': [
'string',
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
findingIds (list) --
An array of strings, where each string is the unique identifier for a finding that matches the filter criteria specified in the request.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionlist_findings_filters(**kwargs)¶Retrieves a subset of information about all the findings filters for an account.
See also: AWS API Documentation
Request Syntax
response = client.list_findings_filters(
maxResults=123,
nextToken='string'
)
dict
Response Syntax
{
'findingsFilterListItems': [
{
'action': 'ARCHIVE'|'NOOP',
'arn': 'string',
'id': 'string',
'name': 'string',
'tags': {
'string': 'string'
}
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
findingsFilterListItems (list) --
An array of objects, one for each filter that's associated with the account.
(dict) --
Provides information about a findings filter.
action (string) --
The action that's performed on findings that match the filter criteria. Possible values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.
arn (string) --
The Amazon Resource Name (ARN) of the filter.
id (string) --
The unique identifier for the filter.
name (string) --
The custom name of the filter.
tags (dict) --
A map of key-value pairs that specifies which tags (keys and values) are associated with the filter.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionlist_invitations(**kwargs)¶Retrieves information about the Amazon Macie membership invitations that were received by an account.
See also: AWS API Documentation
Request Syntax
response = client.list_invitations(
maxResults=123,
nextToken='string'
)
dict
Response Syntax
{
'invitations': [
{
'accountId': 'string',
'invitationId': 'string',
'invitedAt': datetime(2015, 1, 1),
'relationshipStatus': 'Enabled'|'Paused'|'Invited'|'Created'|'Removed'|'Resigned'|'EmailVerificationInProgress'|'EmailVerificationFailed'|'RegionDisabled'|'AccountSuspended'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
invitations (list) --
An array of objects, one for each invitation that was received by the account.
(dict) --
Provides information about an Amazon Macie membership invitation.
accountId (string) --
The Amazon Web Services account ID for the account that sent the invitation.
invitationId (string) --
The unique identifier for the invitation.
invitedAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the invitation was sent.
relationshipStatus (string) --
The status of the relationship between the account that sent the invitation and the account that received the invitation.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionlist_managed_data_identifiers(**kwargs)¶Retrieves information about all the managed data identifiers that Amazon Macie currently provides.
See also: AWS API Documentation
Request Syntax
response = client.list_managed_data_identifiers(
nextToken='string'
)
{
'items': [
{
'category': 'FINANCIAL_INFORMATION'|'PERSONAL_INFORMATION'|'CREDENTIALS'|'CUSTOM_IDENTIFIER',
'id': 'string'
},
],
'nextToken': 'string'
}
Response Structure
The request succeeded.
An array of objects, one for each managed data identifier.
Provides information about a managed data identifier. For additional information, see Using managed data identifiers in the Amazon Macie User Guide .
The category of sensitive data that the managed data identifier detects: CREDENTIALS, for credentials data such as private keys or Amazon Web Services secret access keys; FINANCIAL_INFORMATION, for financial data such as credit card numbers; or, PERSONAL_INFORMATION, for personal health information, such as health insurance identification numbers, or personally identifiable information, such as passport numbers.
The unique identifier for the managed data identifier. This is a string that describes the type of sensitive data that the managed data identifier detects. For example: OPENSSH_PRIVATE_KEY for OpenSSH private keys, CREDIT_CARD_NUMBER for credit card numbers, or USA_PASSPORT_NUMBER for US passport numbers.
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
list_members(**kwargs)¶Retrieves information about the accounts that are associated with an Amazon Macie administrator account.
See also: AWS API Documentation
Request Syntax
response = client.list_members(
maxResults=123,
nextToken='string',
onlyAssociated='string'
)
dict
Response Syntax
{
'members': [
{
'accountId': 'string',
'administratorAccountId': 'string',
'arn': 'string',
'email': 'string',
'invitedAt': datetime(2015, 1, 1),
'masterAccountId': 'string',
'relationshipStatus': 'Enabled'|'Paused'|'Invited'|'Created'|'Removed'|'Resigned'|'EmailVerificationInProgress'|'EmailVerificationFailed'|'RegionDisabled'|'AccountSuspended',
'tags': {
'string': 'string'
},
'updatedAt': datetime(2015, 1, 1)
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
members (list) --
An array of objects, one for each account that's associated with the administrator account and matches the criteria specified in the request.
(dict) --
Provides information about an account that's associated with an Amazon Macie administrator account.
accountId (string) --
The Amazon Web Services account ID for the account.
administratorAccountId (string) --
The Amazon Web Services account ID for the administrator account.
arn (string) --
The Amazon Resource Name (ARN) of the account.
email (string) --
The email address for the account. This value is null if the account is associated with the administrator account through Organizations.
invitedAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when an Amazon Macie membership invitation was last sent to the account. This value is null if a Macie membership invitation hasn't been sent to the account.
masterAccountId (string) --
(Deprecated) The Amazon Web Services account ID for the administrator account. This property has been replaced by the administratorAccountId property and is retained only for backward compatibility.
relationshipStatus (string) --
The current status of the relationship between the account and the administrator account.
tags (dict) --
A map of key-value pairs that specifies which tags (keys and values) are associated with the account in Amazon Macie.
updatedAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the relationship between the account and the administrator account.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionlist_organization_admin_accounts(**kwargs)¶Retrieves information about the delegated Amazon Macie administrator account for an organization in Organizations.
See also: AWS API Documentation
Request Syntax
response = client.list_organization_admin_accounts(
maxResults=123,
nextToken='string'
)
dict
Response Syntax
{
'adminAccounts': [
{
'accountId': 'string',
'status': 'ENABLED'|'DISABLING_IN_PROGRESS'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
adminAccounts (list) --
An array of objects, one for each delegated Amazon Macie administrator account for the organization. Only one of these accounts can have a status of ENABLED.
(dict) --
Provides information about the delegated Amazon Macie administrator account for an organization in Organizations.
accountId (string) --
The Amazon Web Services account ID for the account.
status (string) --
The current status of the account as the delegated Amazon Macie administrator account for the organization.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionlist_resource_profile_artifacts(**kwargs)¶Retrieves information about objects that were selected from an S3 bucket for automated sensitive data discovery.
See also: AWS API Documentation
Request Syntax
response = client.list_resource_profile_artifacts(
nextToken='string',
resourceArn='string'
)
[REQUIRED]
The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.
dict
Response Syntax
{
'artifacts': [
{
'arn': 'string',
'classificationResultStatus': 'string',
'sensitive': True|False
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
artifacts (list) --
An array of objects, one for each of 1-100 S3 objects that Amazon Macie selected for analysis.
If Macie has analyzed more than 100 objects in the bucket, Macie populates the array based on the value for the ResourceProfileArtifact.sensitive field for an object: true (sensitive), followed by false (not sensitive). Macie then populates any remaining items in the array with information about objects where the value for the ResourceProfileArtifact.classificationResultStatus field is SKIPPED.
(dict) --
Provides information about an S3 object that Amazon Macie selected for analysis while performing automated sensitive data discovery for an S3 bucket, and the status and results of the analysis. This information is available only if automated sensitive data discovery is currently enabled for your account.
arn (string) --
The Amazon Resource Name (ARN) of the object.
classificationResultStatus (string) --
The status of the analysis. Possible values are:
sensitive (boolean) --
Specifies whether Amazon Macie found sensitive data in the object.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionlist_resource_profile_detections(**kwargs)¶Retrieves information about the types and amount of sensitive data that Amazon Macie found in an S3 bucket.
See also: AWS API Documentation
Request Syntax
response = client.list_resource_profile_detections(
maxResults=123,
nextToken='string',
resourceArn='string'
)
[REQUIRED]
The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.
dict
Response Syntax
{
'detections': [
{
'arn': 'string',
'count': 123,
'id': 'string',
'name': 'string',
'suppressed': True|False,
'type': 'CUSTOM'|'MANAGED'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
detections (list) --
An array of objects, one for each type of sensitive data that Amazon Macie found in the bucket. Each object reports the number of occurrences of the specified type and provides information about the custom data identifier or managed data identifier that detected the data.
(dict) --
Provides information about a type of sensitive data that Amazon Macie found in an S3 bucket while performing automated sensitive data discovery for the bucket. The information also specifies the custom data identifier or managed data identifier that detected the data. This information is available only if automated sensitive data discovery is currently enabled for your account.
arn (string) --
If the sensitive data was detected by a custom data identifier, the Amazon Resource Name (ARN) of the custom data identifier that detected the data. Otherwise, this value is null.
count (integer) --
The total number of occurrences of the sensitive data.
id (string) --
The unique identifier for the custom data identifier or managed data identifier that detected the sensitive data. For additional details about a specified managed data identifier, see Using managed data identifiers in the Amazon Macie User Guide .
name (string) --
The name of the custom data identifier or managed data identifier that detected the sensitive data. For a managed data identifier, this value is the same as the unique identifier (id).
suppressed (boolean) --
Specifies whether occurrences of this type of sensitive data are excluded (true) or included (false) in the bucket's sensitivity score.
type (string) --
The type of data identifier that detected the sensitive data. Possible values are: CUSTOM, for a custom data identifier; and, MANAGED, for a managed data identifier.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionlist_sensitivity_inspection_templates(**kwargs)¶Retrieves a subset of information about the sensitivity inspection template for an account.
See also: AWS API Documentation
Request Syntax
response = client.list_sensitivity_inspection_templates(
maxResults=123,
nextToken='string'
)
dict
Response Syntax
{
'nextToken': 'string',
'sensitivityInspectionTemplates': [
{
'id': 'string',
'name': 'string'
},
]
}
Response Structure
(dict) --
The request succeeded.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
sensitivityInspectionTemplates (list) --
An array that specifies the unique identifier and name of the sensitivity inspection template for the account.
(dict) --
Provides information about the sensitivity inspection template for an Amazon Macie account. Macie uses the template's settings when it performs automated sensitive data discovery for the account.
id (string) --
The unique identifier for the sensitivity inspection template for the account.
name (string) --
The name of the sensitivity inspection template for the account: automated-sensitive-data-discovery.
Exceptions
Macie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionRetrieves the tags (keys and values) that are associated with an Amazon Macie resource.
See also: AWS API Documentation
Request Syntax
response = client.list_tags_for_resource(
resourceArn='string'
)
[REQUIRED]
The Amazon Resource Name (ARN) of the resource.
{
'tags': {
'string': 'string'
}
}
Response Structure
The request succeeded.
A map of key-value pairs that specifies which tags (keys and values) are associated with the resource.
put_classification_export_configuration(**kwargs)¶Creates or updates the configuration settings for storing data classification results.
See also: AWS API Documentation
Request Syntax
response = client.put_classification_export_configuration(
configuration={
's3Destination': {
'bucketName': 'string',
'keyPrefix': 'string',
'kmsKeyArn': 'string'
}
}
)
[REQUIRED]
The location to store data classification results in, and the encryption settings to use when storing results in that location.
The S3 bucket to store data classification results in, and the encryption settings to use when storing results in that bucket.
The name of the bucket.
The path prefix to use in the path to the location in the bucket. This prefix specifies where to store classification results in the bucket.
The Amazon Resource Name (ARN) of the customer managed KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric encryption KMS key that's in the same Amazon Web Services Region as the bucket.
{
'configuration': {
's3Destination': {
'bucketName': 'string',
'keyPrefix': 'string',
'kmsKeyArn': 'string'
}
}
}
Response Structure
The request succeeded.
The location where the data classification results are stored, and the encryption settings that are used when storing results in that location.
The S3 bucket to store data classification results in, and the encryption settings to use when storing results in that bucket.
The name of the bucket.
The path prefix to use in the path to the location in the bucket. This prefix specifies where to store classification results in the bucket.
The Amazon Resource Name (ARN) of the customer managed KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric encryption KMS key that's in the same Amazon Web Services Region as the bucket.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionput_findings_publication_configuration(**kwargs)¶Updates the configuration settings for publishing findings to Security Hub.
See also: AWS API Documentation
Request Syntax
response = client.put_findings_publication_configuration(
clientToken='string',
securityHubConfiguration={
'publishClassificationFindings': True|False,
'publishPolicyFindings': True|False
}
)
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
The configuration settings that determine which findings to publish to Security Hub.
Specifies whether to publish sensitive data findings to Security Hub. If you set this value to true, Amazon Macie automatically publishes all sensitive data findings that weren't suppressed by a findings filter. The default value is false.
Specifies whether to publish policy findings to Security Hub. If you set this value to true, Amazon Macie automatically publishes all new and updated policy findings that weren't suppressed by a findings filter. The default value is true.
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionsearch_resources(**kwargs)¶Retrieves (queries) statistical data and other information about Amazon Web Services resources that Amazon Macie monitors and analyzes.
See also: AWS API Documentation
Request Syntax
response = client.search_resources(
bucketCriteria={
'excludes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'NE',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'NE',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
},
'includes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'NE',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'NE',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
}
},
maxResults=123,
nextToken='string',
sortCriteria={
'attributeName': 'ACCOUNT_ID'|'RESOURCE_NAME'|'S3_CLASSIFIABLE_OBJECT_COUNT'|'S3_CLASSIFIABLE_SIZE_IN_BYTES',
'orderBy': 'ASC'|'DESC'
}
)
The filter conditions that determine which S3 buckets to include or exclude from the query results.
The property- and tag-based conditions that determine which buckets to exclude from the results.
An array of objects, one for each property- or tag-based condition that includes or excludes resources from the query results. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based filter condition for including or excluding Amazon Web Services resources from the query results.
A property-based condition that defines a property, operator, and one or more values for including or excluding resources from the results.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The property to use in the condition.
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in values.
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding resources from the results.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The tag keys, tag values, or tag key and value pairs to use in the condition.
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based filter condition for a query. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based filter conditions.
The value for the tag key to use in the condition.
The tag value to use in the condition.
The property- and tag-based conditions that determine which buckets to include in the results.
An array of objects, one for each property- or tag-based condition that includes or excludes resources from the query results. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based filter condition for including or excluding Amazon Web Services resources from the query results.
A property-based condition that defines a property, operator, and one or more values for including or excluding resources from the results.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The property to use in the condition.
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in values.
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding resources from the results.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The tag keys, tag values, or tag key and value pairs to use in the condition.
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based filter condition for a query. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based filter conditions.
The value for the tag key to use in the condition.
The tag value to use in the condition.
The criteria to use to sort the results.
The property to sort the results by.
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
dict
Response Syntax
{
'matchingResources': [
{
'matchingBucket': {
'accountId': 'string',
'bucketName': 'string',
'classifiableObjectCount': 123,
'classifiableSizeInBytes': 123,
'errorCode': 'ACCESS_DENIED',
'errorMessage': 'string',
'jobDetails': {
'isDefinedInJob': 'TRUE'|'FALSE'|'UNKNOWN',
'isMonitoredByJob': 'TRUE'|'FALSE'|'UNKNOWN',
'lastJobId': 'string',
'lastJobRunTime': datetime(2015, 1, 1)
},
'lastAutomatedDiscoveryTime': datetime(2015, 1, 1),
'objectCount': 123,
'objectCountByEncryptionType': {
'customerManaged': 123,
'kmsManaged': 123,
's3Managed': 123,
'unencrypted': 123,
'unknown': 123
},
'sensitivityScore': 123,
'sizeInBytes': 123,
'sizeInBytesCompressed': 123,
'unclassifiableObjectCount': {
'fileType': 123,
'storageClass': 123,
'total': 123
},
'unclassifiableObjectSizeInBytes': {
'fileType': 123,
'storageClass': 123,
'total': 123
}
}
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
matchingResources (list) --
An array of objects, one for each resource that matches the filter criteria specified in the request.
(dict) --
Provides statistical data and other information about an Amazon Web Services resource that Amazon Macie monitors and analyzes for your account.
matchingBucket (dict) --
The details of an S3 bucket that Amazon Macie monitors and analyzes.
accountId (string) --
The unique identifier for the Amazon Web Services account that owns the bucket.
bucketName (string) --
The name of the bucket.
classifiableObjectCount (integer) --
The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
classifiableSizeInBytes (integer) --
The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
errorCode (string) --
The error code for an error that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. If this value is ACCESS_DENIED, Macie doesn't have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request. If this value is null, Macie was able to retrieve and process the information.
errorMessage (string) --
A brief description of the error (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. This value is null if Macie was able to retrieve and process the information.
jobDetails (dict) --
Specifies whether any one-time or recurring classification jobs are configured to analyze objects in the bucket, and, if so, the details of the job that ran most recently.
isDefinedInJob (string) --
Specifies whether any one-time or recurring jobs are configured to analyze data in the bucket. Possible values are:
isMonitoredByJob (string) --
Specifies whether any recurring jobs are configured to analyze data in the bucket. Possible values are:
lastJobId (string) --
The unique identifier for the job that ran most recently and is configured to analyze data in the bucket, either the latest run of a recurring job or the only run of a one-time job.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
lastJobRunTime (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the job (lastJobId) started. If the job is a recurring job, this value indicates when the most recent run started.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
lastAutomatedDiscoveryTime (datetime) --
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed data in the bucket while performing automated sensitive data discovery for your account. This value is null if automated sensitive data discovery is currently disabled for your account.
objectCount (integer) --
The total number of objects in the bucket.
objectCountByEncryptionType (dict) --
The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren't encrypted or use client-side encryption.
customerManaged (integer) --
The total number of objects that are encrypted with a customer-provided key. The objects use customer-provided server-side encryption (SSE-C).
kmsManaged (integer) --
The total number of objects that are encrypted with an KMS key, either an Amazon Web Services managed key or a customer managed key. The objects use KMS encryption (SSE-KMS).
s3Managed (integer) --
The total number of objects that are encrypted with an Amazon S3 managed key. The objects use Amazon S3 managed encryption (SSE-S3).
unencrypted (integer) --
The total number of objects that aren't encrypted or use client-side encryption.
unknown (integer) --
The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.
sensitivityScore (integer) --
The current sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive). This value is null if automated sensitive data discovery is currently disabled for your account.
sizeInBytes (integer) --
The total storage size, in bytes, of the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.
sizeInBytesCompressed (integer) --
The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
unclassifiableObjectCount (dict) --
The total number of objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
fileType (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
storageClass (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
total (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
unclassifiableObjectSizeInBytes (dict) --
The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
fileType (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
storageClass (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
total (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
nextToken (string) --
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptiontag_resource(**kwargs)¶Adds or updates one or more tags (keys and values) that are associated with an Amazon Macie resource.
See also: AWS API Documentation
Request Syntax
response = client.tag_resource(
resourceArn='string',
tags={
'string': 'string'
}
)
[REQUIRED]
The Amazon Resource Name (ARN) of the resource.
[REQUIRED]
A map of key-value pairs that specifies the tags to associate with the resource.
A resource can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded and there isn't any content to include in the body of the response (No Content).
test_custom_data_identifier(**kwargs)¶Tests a custom data identifier.
See also: AWS API Documentation
Request Syntax
response = client.test_custom_data_identifier(
ignoreWords=[
'string',
],
keywords=[
'string',
],
maximumMatchDistance=123,
regex='string',
sampleText='string'
)
An array that lists specific character sequences (ignore words ) to exclude from the results. If the text matched by the regular expression contains any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4-90 UTF-8 characters. Ignore words are case sensitive.
An array that lists specific character sequences (keywords ), one of which must precede and be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.
[REQUIRED]
The regular expression (regex ) that defines the pattern to match. The expression can contain as many as 512 characters.
[REQUIRED]
The sample text to inspect by using the custom data identifier. The text can contain as many as 1,000 characters.
dict
Response Syntax
{
'matchCount': 123
}
Response Structure
(dict) --
The request succeeded.
matchCount (integer) --
The number of occurrences of sample text that matched the criteria specified by the custom data identifier.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionuntag_resource(**kwargs)¶Removes one or more tags (keys and values) from an Amazon Macie resource.
See also: AWS API Documentation
Request Syntax
response = client.untag_resource(
resourceArn='string',
tagKeys=[
'string',
]
)
[REQUIRED]
The Amazon Resource Name (ARN) of the resource.
[REQUIRED]
One or more tags (keys) to remove from the resource. In an HTTP request to remove multiple tags, append the tagKeys parameter and argument for each tag to remove, separated by an ampersand (&).
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded and there isn't any content to include in the body of the response (No Content).
update_allow_list(**kwargs)¶Updates the settings for an allow list.
See also: AWS API Documentation
Request Syntax
response = client.update_allow_list(
criteria={
'regex': 'string',
's3WordsList': {
'bucketName': 'string',
'objectKey': 'string'
}
},
description='string',
id='string',
name='string'
)
[REQUIRED]
The criteria that specify the text or text pattern to ignore. The criteria can be the location and name of an S3 object that lists specific text to ignore (s3WordsList), or a regular expression that defines a text pattern to ignore (regex).
You can change a list's underlying criteria, such as the name of the S3 object or the regular expression to use. However, you can't change the type from s3WordsList to regex or the other way around.
The regular expression (regex ) that defines the text pattern to ignore. The expression can contain as many as 512 characters.
The location and name of the S3 object that lists specific text to ignore.
The full name of the S3 bucket that contains the object.
The full name (key) of the object.
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
[REQUIRED]
A custom name for the allow list. The name can contain as many as 128 characters.
dict
Response Syntax
{
'arn': 'string',
'id': 'string'
}
Response Structure
(dict) --
The request succeeded. The settings for the allow list were updated.
arn (string) --
The Amazon Resource Name (ARN) of the allow list.
id (string) --
The unique identifier for the allow list.
Exceptions
Macie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionupdate_automated_discovery_configuration(**kwargs)¶Enables or disables automated sensitive data discovery for an account.
See also: AWS API Documentation
Request Syntax
response = client.update_automated_discovery_configuration(
status='ENABLED'|'DISABLED'
)
[REQUIRED]
The new status of automated sensitive data discovery for the account. Valid values are: ENABLED, start or resume automated sensitive data discovery activities for the account; and, DISABLED, stop performing automated sensitive data discovery activities for the account.
When you enable automated sensitive data discovery for the first time, Amazon Macie uses default configuration settings to determine which data sources to analyze and which managed data identifiers to use. To change these settings, use the UpdateClassificationScope and UpdateSensitivityInspectionTemplate operations, respectively. If you change the settings and subsequently disable the configuration, Amazon Macie retains your changes.
{}
Response Structure
The request succeeded. The status of the automated sensitive data discovery configuration for the account was updated and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionupdate_classification_job(**kwargs)¶Changes the status of a classification job.
See also: AWS API Documentation
Request Syntax
response = client.update_classification_job(
jobId='string',
jobStatus='RUNNING'|'PAUSED'|'CANCELLED'|'COMPLETE'|'IDLE'|'USER_PAUSED'
)
[REQUIRED]
The unique identifier for the classification job.
[REQUIRED]
The new status for the job. Valid values are:
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded. The job's status was changed and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionupdate_classification_scope(**kwargs)¶Updates the classification scope settings for an account.
See also: AWS API Documentation
Request Syntax
response = client.update_classification_scope(
id='string',
s3={
'excludes': {
'bucketNames': [
'string',
],
'operation': 'ADD'|'REPLACE'|'REMOVE'
}
}
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
The S3 buckets to add or remove from the exclusion list defined by the classification scope.
The names of the S3 buckets to add or remove from the list.
Depending on the value specified for the update operation (ClassificationScopeUpdateOperation), an array of strings that: lists the names of buckets to add or remove from the list, or specifies a new set of bucket names that overwrites all existing names in the list. Each string must be the full name of an S3 bucket. Values are case sensitive.
The name of an S3 bucket.
Specifies how to apply the changes to the exclusion list. Valid values are:
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded. The specified settings were updated and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionupdate_findings_filter(**kwargs)¶Updates the criteria and other settings for a findings filter.
See also: AWS API Documentation
Request Syntax
response = client.update_findings_filter(
action='ARCHIVE'|'NOOP',
clientToken='string',
description='string',
findingCriteria={
'criterion': {
'string': {
'eq': [
'string',
],
'eqExactMatch': [
'string',
],
'gt': 123,
'gte': 123,
'lt': 123,
'lte': 123,
'neq': [
'string',
]
}
}
},
id='string',
name='string',
position=123
)
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
This field is autopopulated if not provided.
A custom description of the filter. The description can contain as many as 512 characters.
We strongly recommend that you avoid including any sensitive data in the description of a filter. Other users of your account might be able to see this description, depending on the actions that they're allowed to perform in Amazon Macie.
The criteria to use to filter findings.
A condition that specifies the property, operator, and one or more values to use to filter the results.
Specifies the operator to use in a property-based condition that filters the results of a query for findings. For detailed information and examples of each operator, see Fundamentals of filtering findings in the Amazon Macie User Guide .
The value for the property matches (equals) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
The value for the property exclusively matches (equals an exact match for) all the specified values. If you specify multiple values, Amazon Macie uses AND logic to join the values.
You can use this operator with the following properties: customDataIdentifiers.detections.arn, customDataIdentifiers.detections.name, resourcesAffected.s3Bucket.tags.key, resourcesAffected.s3Bucket.tags.value, resourcesAffected.s3Object.tags.key, resourcesAffected.s3Object.tags.value, sensitiveData.category, and sensitiveData.detections.type.
The value for the property is greater than the specified value.
The value for the property is greater than or equal to the specified value.
The value for the property is less than the specified value.
The value for the property is less than or equal to the specified value.
The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
A custom name for the filter. The name must contain at least 3 characters and can contain as many as 64 characters.
We strongly recommend that you avoid including any sensitive data in the name of a filter. Other users of your account might be able to see this name, depending on the actions that they're allowed to perform in Amazon Macie.
dict
Response Syntax
{
'arn': 'string',
'id': 'string'
}
Response Structure
(dict) --
The request succeeded. The specified findings filter was updated.
arn (string) --
The Amazon Resource Name (ARN) of the filter that was updated.
id (string) --
The unique identifier for the filter that was updated.
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionupdate_macie_session(**kwargs)¶Suspends or re-enables Amazon Macie, or updates the configuration settings for a Macie account.
See also: AWS API Documentation
Request Syntax
response = client.update_macie_session(
findingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
status='PAUSED'|'ENABLED'
)
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionupdate_member_session(**kwargs)¶Enables an Amazon Macie administrator to suspend or re-enable Macie for a member account.
See also: AWS API Documentation
Request Syntax
response = client.update_member_session(
id='string',
status='PAUSED'|'ENABLED'
)
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
[REQUIRED]
Specifies the new status for the account. Valid values are: ENABLED, resume all Amazon Macie activities for the account; and, PAUSED, suspend all Macie activities for the account.
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionupdate_organization_configuration(**kwargs)¶Updates the Amazon Macie configuration settings for an organization in Organizations.
See also: AWS API Documentation
Request Syntax
response = client.update_organization_configuration(
autoEnable=True|False
)
[REQUIRED]
Specifies whether to enable Amazon Macie automatically for an account when the account is added to the organization in Organizations.
{}
Response Structure
The request succeeded and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ConflictExceptionupdate_resource_profile(**kwargs)¶Updates the sensitivity score for an S3 bucket.
See also: AWS API Documentation
Request Syntax
response = client.update_resource_profile(
resourceArn='string',
sensitivityScoreOverride=123
)
[REQUIRED]
The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded. The S3 bucket's sensitivity score was updated and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionupdate_resource_profile_detections(**kwargs)¶Updates the sensitivity scoring settings for an S3 bucket.
See also: AWS API Documentation
Request Syntax
response = client.update_resource_profile_detections(
resourceArn='string',
suppressDataIdentifiers=[
{
'id': 'string',
'type': 'CUSTOM'|'MANAGED'
},
]
)
[REQUIRED]
The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.
An array of objects, one for each custom data identifier or managed data identifier that detected the type of sensitive data to start excluding or including in the bucket's score. To start including all sensitive data types in the score, don't specify any values for this array.
Specifies a custom data identifier or managed data identifier that detected a type of sensitive data to start excluding or including in an S3 bucket's sensitivity score.
The unique identifier for the custom data identifier or managed data identifier that detected the type of sensitive data to exclude or include in the score.
The type of data identifier that detected the sensitive data. Possible values are: CUSTOM, for a custom data identifier; and, MANAGED, for a managed data identifier.
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded. The settings were updated and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.ServiceQuotaExceededExceptionMacie2.Client.exceptions.AccessDeniedExceptionMacie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionupdate_reveal_configuration(**kwargs)¶Updates the status and configuration settings for retrieving occurrences of sensitive data reported by findings.
See also: AWS API Documentation
Request Syntax
response = client.update_reveal_configuration(
configuration={
'kmsKeyId': 'string',
'status': 'ENABLED'|'DISABLED'
}
)
[REQUIRED]
The new configuration settings and the status of the configuration for the account.
The Amazon Resource Name (ARN), ID, or alias of the KMS key to use to encrypt sensitive data that's retrieved. The key must be an existing, customer managed, symmetric encryption key that's in the same Amazon Web Services Region as the Amazon Macie account.
If this value specifies an alias, it must include the following prefix: alias/. If this value specifies a key that's owned by another Amazon Web Services account, it must specify the ARN of the key or the ARN of the key's alias.
The status of the configuration for the Amazon Macie account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account.
{
'configuration': {
'kmsKeyId': 'string',
'status': 'ENABLED'|'DISABLED'
}
}
Response Structure
The request succeeded.
The new configuration settings and the status of the configuration for the account.
The Amazon Resource Name (ARN), ID, or alias of the KMS key to use to encrypt sensitive data that's retrieved. The key must be an existing, customer managed, symmetric encryption key that's in the same Amazon Web Services Region as the Amazon Macie account.
If this value specifies an alias, it must include the following prefix: alias/. If this value specifies a key that's owned by another Amazon Web Services account, it must specify the ARN of the key or the ARN of the key's alias.
The status of the configuration for the Amazon Macie account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account.
Exceptions
Macie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionupdate_sensitivity_inspection_template(**kwargs)¶Updates the settings for the sensitivity inspection template for an account.
See also: AWS API Documentation
Request Syntax
response = client.update_sensitivity_inspection_template(
description='string',
excludes={
'managedDataIdentifierIds': [
'string',
]
},
id='string',
includes={
'allowListIds': [
'string',
],
'customDataIdentifierIds': [
'string',
],
'managedDataIdentifierIds': [
'string',
]
}
)
The managed data identifiers to explicitly exclude (not use) when analyzing data.
To exclude an allow list or custom data identifier that's currently included by the template, update the values for the SensitivityInspectionTemplateIncludes.allowListIds and SensitivityInspectionTemplateIncludes.customDataIdentifierIds properties, respectively.
An array of unique identifiers, one for each managed data identifier to exclude. To retrieve a list of valid values, use the ListManagedDataIdentifiers operation.
[REQUIRED]
The unique identifier for the Amazon Macie resource that the request applies to.
The allow lists, custom data identifiers, and managed data identifiers to include (use) when analyzing data.
An array of unique identifiers, one for each allow list to include.
An array of unique identifiers, one for each custom data identifier to include.
An array of unique identifiers, one for each managed data identifier to include.
Amazon Macie uses these managed data identifiers in addition to managed data identifiers that are subsequently released and recommended for automated sensitive data discovery. To retrieve a list of valid values for the managed data identifiers that are currently available, use the ListManagedDataIdentifiers operation.
dict
Response Syntax
{}
Response Structure
(dict) --
The request succeeded. The template's settings were updated and there isn't any content to include in the body of the response (No Content).
Exceptions
Macie2.Client.exceptions.ResourceNotFoundExceptionMacie2.Client.exceptions.ThrottlingExceptionMacie2.Client.exceptions.ValidationExceptionMacie2.Client.exceptions.InternalServerExceptionMacie2.Client.exceptions.AccessDeniedExceptionThe available paginators are:
Macie2.Paginator.DescribeBucketsMacie2.Paginator.GetUsageStatisticsMacie2.Paginator.ListAllowListsMacie2.Paginator.ListClassificationJobsMacie2.Paginator.ListClassificationScopesMacie2.Paginator.ListCustomDataIdentifiersMacie2.Paginator.ListFindingsMacie2.Paginator.ListFindingsFiltersMacie2.Paginator.ListInvitationsMacie2.Paginator.ListManagedDataIdentifiersMacie2.Paginator.ListMembersMacie2.Paginator.ListOrganizationAdminAccountsMacie2.Paginator.ListResourceProfileArtifactsMacie2.Paginator.ListResourceProfileDetectionsMacie2.Paginator.ListSensitivityInspectionTemplatesMacie2.Paginator.SearchResourcesMacie2.Paginator.DescribeBuckets¶paginator = client.get_paginator('describe_buckets')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.describe_buckets().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
criteria={
'string': {
'eq': [
'string',
],
'gt': 123,
'gte': 123,
'lt': 123,
'lte': 123,
'neq': [
'string',
],
'prefix': 'string'
}
},
sortCriteria={
'attributeName': 'string',
'orderBy': 'ASC'|'DESC'
},
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
The criteria to use to filter the query results.
Specifies the operator to use in a property-based condition that filters the results of a query for information about S3 buckets.
The value for the property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
The value for the property is greater than the specified value.
The value for the property is greater than or equal to the specified value.
The value for the property is less than the specified value.
The value for the property is less than or equal to the specified value.
The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
The name of the bucket begins with the specified value.
The criteria to use to sort the query results.
The name of the bucket property to sort the results by. This value can be one of the following properties that Amazon Macie defines as bucket metadata: accountId, bucketName, classifiableObjectCount, classifiableSizeInBytes, objectCount, sensitivityScore, or sizeInBytes.
The sort order to apply to the results, based on the value specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'buckets': [
{
'accountId': 'string',
'allowsUnencryptedObjectUploads': 'TRUE'|'FALSE'|'UNKNOWN',
'bucketArn': 'string',
'bucketCreatedAt': datetime(2015, 1, 1),
'bucketName': 'string',
'classifiableObjectCount': 123,
'classifiableSizeInBytes': 123,
'errorCode': 'ACCESS_DENIED',
'errorMessage': 'string',
'jobDetails': {
'isDefinedInJob': 'TRUE'|'FALSE'|'UNKNOWN',
'isMonitoredByJob': 'TRUE'|'FALSE'|'UNKNOWN',
'lastJobId': 'string',
'lastJobRunTime': datetime(2015, 1, 1)
},
'lastAutomatedDiscoveryTime': datetime(2015, 1, 1),
'lastUpdated': datetime(2015, 1, 1),
'objectCount': 123,
'objectCountByEncryptionType': {
'customerManaged': 123,
'kmsManaged': 123,
's3Managed': 123,
'unencrypted': 123,
'unknown': 123
},
'publicAccess': {
'effectivePermission': 'PUBLIC'|'NOT_PUBLIC'|'UNKNOWN',
'permissionConfiguration': {
'accountLevelPermissions': {
'blockPublicAccess': {
'blockPublicAcls': True|False,
'blockPublicPolicy': True|False,
'ignorePublicAcls': True|False,
'restrictPublicBuckets': True|False
}
},
'bucketLevelPermissions': {
'accessControlList': {
'allowsPublicReadAccess': True|False,
'allowsPublicWriteAccess': True|False
},
'blockPublicAccess': {
'blockPublicAcls': True|False,
'blockPublicPolicy': True|False,
'ignorePublicAcls': True|False,
'restrictPublicBuckets': True|False
},
'bucketPolicy': {
'allowsPublicReadAccess': True|False,
'allowsPublicWriteAccess': True|False
}
}
}
},
'region': 'string',
'replicationDetails': {
'replicated': True|False,
'replicatedExternally': True|False,
'replicationAccounts': [
'string',
]
},
'sensitivityScore': 123,
'serverSideEncryption': {
'kmsMasterKeyId': 'string',
'type': 'NONE'|'AES256'|'aws:kms'
},
'sharedAccess': 'EXTERNAL'|'INTERNAL'|'NOT_SHARED'|'UNKNOWN',
'sizeInBytes': 123,
'sizeInBytesCompressed': 123,
'tags': [
{
'key': 'string',
'value': 'string'
},
],
'unclassifiableObjectCount': {
'fileType': 123,
'storageClass': 123,
'total': 123
},
'unclassifiableObjectSizeInBytes': {
'fileType': 123,
'storageClass': 123,
'total': 123
},
'versioning': True|False
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
buckets (list) --
An array of objects, one for each bucket that matches the filter criteria specified in the request.
(dict) --
Provides statistical data and other information about an S3 bucket that Amazon Macie monitors and analyzes for your account. By default, object count and storage size values include data for object parts that are the result of incomplete multipart uploads. For more information, see How Macie monitors Amazon S3 data security in the Amazon Macie User Guide .
If an error occurs when Macie attempts to retrieve and process metadata from Amazon S3 for the bucket or the bucket's objects, the value for the versioning property is false and the value for most other properties is null. Key exceptions are accountId, bucketArn, bucketCreatedAt, bucketName, lastUpdated, and region. To identify the cause of the error, refer to the errorCode and errorMessage values.
accountId (string) --
The unique identifier for the Amazon Web Services account that owns the bucket.
allowsUnencryptedObjectUploads (string) --
Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are uploaded to the bucket. Possible values are:
Valid server-side encryption headers are: x-amz-server-side-encryption with a value of AES256 or aws:kms, and x-amz-server-side-encryption-customer-algorithm with a value of AES256.
bucketArn (string) --
The Amazon Resource Name (ARN) of the bucket.
bucketCreatedAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the bucket was created. This value can also indicate when changes such as edits to the bucket's policy were most recently made to the bucket.
bucketName (string) --
The name of the bucket.
classifiableObjectCount (integer) --
The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
classifiableSizeInBytes (integer) --
The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
errorCode (string) --
The error code for an error that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. If this value is ACCESS_DENIED, Macie doesn't have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request. If this value is null, Macie was able to retrieve and process the information.
errorMessage (string) --
A brief description of the error (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. This value is null if Macie was able to retrieve and process the information.
jobDetails (dict) --
Specifies whether any one-time or recurring classification jobs are configured to analyze data in the bucket, and, if so, the details of the job that ran most recently.
isDefinedInJob (string) --
Specifies whether any one-time or recurring jobs are configured to analyze data in the bucket. Possible values are:
isMonitoredByJob (string) --
Specifies whether any recurring jobs are configured to analyze data in the bucket. Possible values are:
lastJobId (string) --
The unique identifier for the job that ran most recently and is configured to analyze data in the bucket, either the latest run of a recurring job or the only run of a one-time job.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
lastJobRunTime (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the job (lastJobId) started. If the job is a recurring job, this value indicates when the most recent run started.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
lastAutomatedDiscoveryTime (datetime) --
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed data in the bucket while performing automated sensitive data discovery for your account. This value is null if automated sensitive data discovery is currently disabled for your account.
lastUpdated (datetime) --
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved bucket or object metadata from Amazon S3 for the bucket.
objectCount (integer) --
The total number of objects in the bucket.
objectCountByEncryptionType (dict) --
The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren't encrypted or use client-side encryption.
customerManaged (integer) --
The total number of objects that are encrypted with a customer-provided key. The objects use customer-provided server-side encryption (SSE-C).
kmsManaged (integer) --
The total number of objects that are encrypted with an KMS key, either an Amazon Web Services managed key or a customer managed key. The objects use KMS encryption (SSE-KMS).
s3Managed (integer) --
The total number of objects that are encrypted with an Amazon S3 managed key. The objects use Amazon S3 managed encryption (SSE-S3).
unencrypted (integer) --
The total number of objects that aren't encrypted or use client-side encryption.
unknown (integer) --
The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.
publicAccess (dict) --
Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket, and provides information about those settings.
effectivePermission (string) --
Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket. Possible values are:
permissionConfiguration (dict) --
The account-level and bucket-level permissions settings for the bucket.
accountLevelPermissions (dict) --
The account-level permissions settings that apply to the bucket.
blockPublicAccess (dict) --
The block public access settings for the Amazon Web Services account that owns the bucket.
blockPublicAcls (boolean) --
Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.
blockPublicPolicy (boolean) --
Specifies whether Amazon S3 blocks public bucket policies for the bucket.
ignorePublicAcls (boolean) --
Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.
restrictPublicBuckets (boolean) --
Specifies whether Amazon S3 restricts public bucket policies for the bucket.
bucketLevelPermissions (dict) --
The bucket-level permissions settings for the bucket.
accessControlList (dict) --
The permissions settings of the access control list (ACL) for the bucket. This value is null if an ACL hasn't been defined for the bucket.
allowsPublicReadAccess (boolean) --
Specifies whether the ACL grants the general public with read access permissions for the bucket.
allowsPublicWriteAccess (boolean) --
Specifies whether the ACL grants the general public with write access permissions for the bucket.
blockPublicAccess (dict) --
The block public access settings for the bucket.
blockPublicAcls (boolean) --
Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.
blockPublicPolicy (boolean) --
Specifies whether Amazon S3 blocks public bucket policies for the bucket.
ignorePublicAcls (boolean) --
Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.
restrictPublicBuckets (boolean) --
Specifies whether Amazon S3 restricts public bucket policies for the bucket.
bucketPolicy (dict) --
The permissions settings of the bucket policy for the bucket. This value is null if a bucket policy hasn't been defined for the bucket.
allowsPublicReadAccess (boolean) --
Specifies whether the bucket policy allows the general public to have read access to the bucket.
allowsPublicWriteAccess (boolean) --
Specifies whether the bucket policy allows the general public to have write access to the bucket.
region (string) --
The Amazon Web Services Region that hosts the bucket.
replicationDetails (dict) --
Specifies whether the bucket is configured to replicate one or more objects to buckets for other Amazon Web Services accounts and, if so, which accounts.
replicated (boolean) --
Specifies whether the bucket is configured to replicate one or more objects to any destination.
replicatedExternally (boolean) --
Specifies whether the bucket is configured to replicate one or more objects to a bucket for an Amazon Web Services account that isn't part of your Amazon Macie organization. An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.
replicationAccounts (list) --
An array of Amazon Web Services account IDs, one for each Amazon Web Services account that owns a bucket that the bucket is configured to replicate one or more objects to.
sensitivityScore (integer) --
The sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive). This value is null if automated sensitive data discovery is currently disabled for your account.
serverSideEncryption (dict) --
Specifies whether the bucket encrypts new objects by default and, if so, the type of server-side encryption that's used.
kmsMasterKeyId (string) --
The Amazon Resource Name (ARN) or unique identifier (key ID) for the KMS key that's used by default to encrypt objects that are added to the bucket. This value is null if the bucket uses an Amazon S3 managed key to encrypt new objects or the bucket doesn't encrypt new objects by default.
type (string) --
The type of server-side encryption that's used by default when storing new objects in the bucket. Possible values are:
sharedAccess (string) --
Specifies whether the bucket is shared with another Amazon Web Services account, an Amazon CloudFront origin access identity (OAI), or a CloudFront origin access control (OAC). Possible values are:
An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.
sizeInBytes (integer) --
The total storage size, in bytes, of the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.
sizeInBytesCompressed (integer) --
The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
tags (list) --
An array that specifies the tags (keys and values) that are associated with the bucket.
(dict) --
Provides information about the tags that are associated with an S3 bucket or object. Each tag consists of a required tag key and an associated tag value.
key (string) --
One part of a key-value pair that comprises a tag. A tag key is a general label that acts as a category for more specific tag values.
value (string) --
One part of a key-value pair that comprises a tag. A tag value acts as a descriptor for a tag key. A tag value can be an empty string.
unclassifiableObjectCount (dict) --
The total number of objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
fileType (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
storageClass (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
total (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
unclassifiableObjectSizeInBytes (dict) --
The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
fileType (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
storageClass (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
total (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
versioning (boolean) --
Specifies whether versioning is enabled for the bucket.
NextToken (string) --
A token to resume pagination.
Macie2.Paginator.GetUsageStatistics¶paginator = client.get_paginator('get_usage_statistics')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.get_usage_statistics().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
filterBy=[
{
'comparator': 'GT'|'GTE'|'LT'|'LTE'|'EQ'|'NE'|'CONTAINS',
'key': 'accountId'|'serviceLimit'|'freeTrialStartDate'|'total',
'values': [
'string',
]
},
],
sortBy={
'key': 'accountId'|'total'|'serviceLimitValue'|'freeTrialStartDate',
'orderBy': 'ASC'|'DESC'
},
timeRange='MONTH_TO_DATE'|'PAST_30_DAYS',
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
An array of objects, one for each condition to use to filter the query results. If you specify more than one condition, Amazon Macie uses an AND operator to join the conditions.
Specifies a condition for filtering the results of a query for quota and usage data for one or more Amazon Macie accounts.
The operator to use in the condition. If the value for the key property is accountId, this value must be CONTAINS. If the value for the key property is any other supported field, this value can be EQ, GT, GTE, LT, LTE, or NE.
The field to use in the condition.
An array that lists values to use in the condition, based on the value for the field specified by the key property. If the value for the key property is accountId, this array can specify multiple values. Otherwise, this array can specify only one value.
Valid values for each supported field are:
The criteria to use to sort the query results.
The field to sort the results by.
The sort order to apply to the results, based on the value for the field specified by the key property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'records': [
{
'accountId': 'string',
'automatedDiscoveryFreeTrialStartDate': datetime(2015, 1, 1),
'freeTrialStartDate': datetime(2015, 1, 1),
'usage': [
{
'currency': 'USD',
'estimatedCost': 'string',
'serviceLimit': {
'isServiceLimited': True|False,
'unit': 'TERABYTES',
'value': 123
},
'type': 'DATA_INVENTORY_EVALUATION'|'SENSITIVE_DATA_DISCOVERY'|'AUTOMATED_SENSITIVE_DATA_DISCOVERY'|'AUTOMATED_OBJECT_MONITORING'
},
]
},
],
'timeRange': 'MONTH_TO_DATE'|'PAST_30_DAYS',
'NextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
records (list) --
An array of objects that contains the results of the query. Each object contains the data for an account that matches the filter criteria specified in the request.
(dict) --
Provides quota and aggregated usage data for an Amazon Macie account.
accountId (string) --
The unique identifier for the Amazon Web Services account that the data applies to.
automatedDiscoveryFreeTrialStartDate (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the free trial of automated sensitive data discovery started for the account. If the account is a member account in an organization, this value is the same as the value for the organization's Amazon Macie administrator account.
freeTrialStartDate (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the Amazon Macie free trial started for the account.
usage (list) --
An array of objects that contains usage data and quotas for the account. Each object contains the data for a specific usage metric and the corresponding quota.
(dict) --
Provides data for a specific usage metric and the corresponding quota for an Amazon Macie account.
currency (string) --
The type of currency that the value for the metric (estimatedCost) is reported in.
estimatedCost (string) --
The estimated value for the metric.
serviceLimit (dict) --
The current value for the quota that corresponds to the metric specified by the type field.
isServiceLimited (boolean) --
Specifies whether the account has met the quota that corresponds to the metric specified by the UsageByAccount.type field in the response.
unit (string) --
The unit of measurement for the value specified by the value field.
value (integer) --
The value for the metric specified by the UsageByAccount.type field in the response.
type (string) --
The name of the metric. Possible values are: AUTOMATED_OBJECT_MONITORING, to monitor S3 objects for automated sensitive data discovery; AUTOMATED_SENSITIVE_DATA_DISCOVERY, to analyze S3 objects for automated sensitive data discovery; DATA_INVENTORY_EVALUATION, to monitor S3 buckets; and, SENSITIVE_DATA_DISCOVERY, to run classification jobs.
timeRange (string) --
The inclusive time period that the usage data applies to. Possible values are: MONTH_TO_DATE, for the current calendar month to date; and, PAST_30_DAYS, for the preceding 30 days.
NextToken (string) --
A token to resume pagination.
Macie2.Paginator.ListAllowLists¶paginator = client.get_paginator('list_allow_lists')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_allow_lists().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'allowLists': [
{
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'description': 'string',
'id': 'string',
'name': 'string',
'updatedAt': datetime(2015, 1, 1)
},
],
'NextToken': 'string'
}
Response Structure
The request succeeded.
An array of objects, one for each allow list.
Provides a subset of information about an allow list.
The Amazon Resource Name (ARN) of the allow list.
The date and time, in UTC and extended ISO 8601 format, when the allow list was created in Amazon Macie.
The custom description of the allow list.
The unique identifier for the allow list.
The custom name of the allow list.
The date and time, in UTC and extended ISO 8601 format, when the allow list's settings were most recently changed in Amazon Macie.
A token to resume pagination.
Macie2.Paginator.ListClassificationJobs¶paginator = client.get_paginator('list_classification_jobs')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_classification_jobs().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
filterCriteria={
'excludes': [
{
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'jobType'|'jobStatus'|'createdAt'|'name',
'values': [
'string',
]
},
],
'includes': [
{
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'jobType'|'jobStatus'|'createdAt'|'name',
'values': [
'string',
]
},
]
},
sortCriteria={
'attributeName': 'createdAt'|'jobStatus'|'name'|'jobType',
'orderBy': 'ASC'|'DESC'
},
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
The criteria to use to filter the results.
An array of objects, one for each condition that determines which jobs to exclude from the results.
Specifies a condition that filters the results of a request for information about classification jobs. Each condition consists of a property, an operator, and one or more values.
The operator to use to filter the results.
The property to use to filter the results.
An array that lists one or more values to use to filter the results.
An array of objects, one for each condition that determines which jobs to include in the results.
Specifies a condition that filters the results of a request for information about classification jobs. Each condition consists of a property, an operator, and one or more values.
The operator to use to filter the results.
The property to use to filter the results.
An array that lists one or more values to use to filter the results.
The criteria to use to sort the results.
The property to sort the results by.
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'items': [
{
'bucketCriteria': {
'excludes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
},
'includes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'GT'|'GTE'|'LT'|'LTE'|'NE'|'CONTAINS'|'STARTS_WITH',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
}
},
'bucketDefinitions': [
{
'accountId': 'string',
'buckets': [
'string',
]
},
],
'createdAt': datetime(2015, 1, 1),
'jobId': 'string',
'jobStatus': 'RUNNING'|'PAUSED'|'CANCELLED'|'COMPLETE'|'IDLE'|'USER_PAUSED',
'jobType': 'ONE_TIME'|'SCHEDULED',
'lastRunErrorStatus': {
'code': 'NONE'|'ERROR'
},
'name': 'string',
'userPausedDetails': {
'jobExpiresAt': datetime(2015, 1, 1),
'jobImminentExpirationHealthEventArn': 'string',
'jobPausedAt': datetime(2015, 1, 1)
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
items (list) --
An array of objects, one for each job that matches the filter criteria specified in the request.
(dict) --
Provides information about a classification job, including the current status of the job.
bucketCriteria (dict) --
The property- and tag-based conditions that determine which S3 buckets are included or excluded from the job's analysis. Each time the job runs, the job uses these criteria to determine which buckets to analyze. A job's definition can contain a bucketCriteria object or a bucketDefinitions array, not both.
excludes (dict) --
The property- and tag-based conditions that determine which buckets to exclude from the job.
and (list) --
An array of conditions, one for each condition that determines which buckets to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
(dict) --
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 buckets from a classification job.
simpleCriterion (dict) --
A property-based condition that defines a property, operator, and one or more values for including or excluding buckets from the job.
comparator (string) --
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
key (string) --
The property to use in the condition.
values (list) --
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in these values.
tagCriterion (dict) --
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding buckets from the job.
comparator (string) --
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
tagValues (list) --
The tag keys, tag values, or tag key and value pairs to use in the condition.
(dict) --
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based condition that determines whether an S3 bucket is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
key (string) --
The value for the tag key to use in the condition.
value (string) --
The tag value to use in the condition.
includes (dict) --
The property- and tag-based conditions that determine which buckets to include in the job.
and (list) --
An array of conditions, one for each condition that determines which buckets to include or exclude from the job. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
(dict) --
Specifies a property- or tag-based condition that defines criteria for including or excluding S3 buckets from a classification job.
simpleCriterion (dict) --
A property-based condition that defines a property, operator, and one or more values for including or excluding buckets from the job.
comparator (string) --
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
key (string) --
The property to use in the condition.
values (list) --
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in these values.
tagCriterion (dict) --
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding buckets from the job.
comparator (string) --
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
tagValues (list) --
The tag keys, tag values, or tag key and value pairs to use in the condition.
(dict) --
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based condition that determines whether an S3 bucket is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.
key (string) --
The value for the tag key to use in the condition.
value (string) --
The tag value to use in the condition.
bucketDefinitions (list) --
An array of objects, one for each Amazon Web Services account that owns specific S3 buckets for the job to analyze. Each object specifies the account ID for an account and one or more buckets to analyze for that account. A job's definition can contain a bucketDefinitions array or a bucketCriteria object, not both.
(dict) --
Specifies an Amazon Web Services account that owns S3 buckets for a classification job to analyze, and one or more specific buckets to analyze for that account.
accountId (string) --
The unique identifier for the Amazon Web Services account that owns the buckets.
buckets (list) --
An array that lists the names of the buckets.
createdAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the job was created.
jobId (string) --
The unique identifier for the job.
jobStatus (string) --
The current status of the job. Possible values are:
jobType (string) --
The schedule for running the job. Possible values are:
lastRunErrorStatus (dict) --
Specifies whether any account- or bucket-level access errors occurred when the job ran. For a recurring job, this value indicates the error status of the job's most recent run.
code (string) --
Specifies whether any account- or bucket-level access errors occurred when the job ran. For a recurring job, this value indicates the error status of the job's most recent run. Possible values are:
name (string) --
The custom name of the job.
userPausedDetails (dict) --
If the current status of the job is USER_PAUSED, specifies when the job was paused and when the job or job run will expire and be cancelled if it isn't resumed. This value is present only if the value for jobStatus is USER_PAUSED.
jobExpiresAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the job or job run will expire and be cancelled if you don't resume it first.
jobImminentExpirationHealthEventArn (string) --
The Amazon Resource Name (ARN) of the Health event that Amazon Macie sent to notify you of the job or job run's pending expiration and cancellation. This value is null if a job has been paused for less than 23 days.
jobPausedAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when you paused the job.
NextToken (string) --
A token to resume pagination.
Macie2.Paginator.ListClassificationScopes¶paginator = client.get_paginator('list_classification_scopes')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_classification_scopes().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
name='string',
PaginationConfig={
'MaxItems': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'classificationScopes': [
{
'id': 'string',
'name': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
classificationScopes (list) --
An array that specifies the unique identifier and name of the classification scope for the account.
(dict) --
Provides information about the classification scope for an Amazon Macie account. Macie uses the scope's settings when it performs automated sensitive data discovery for the account.
id (string) --
The unique identifier for the classification scope.
name (string) --
The name of the classification scope: automated-sensitive-data-discovery.
NextToken (string) --
A token to resume pagination.
Macie2.Paginator.ListCustomDataIdentifiers¶paginator = client.get_paginator('list_custom_data_identifiers')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_custom_data_identifiers().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'items': [
{
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'description': 'string',
'id': 'string',
'name': 'string'
},
],
'NextToken': 'string'
}
Response Structure
The request succeeded.
An array of objects, one for each custom data identifier.
Provides information about a custom data identifier.
The Amazon Resource Name (ARN) of the custom data identifier.
The date and time, in UTC and extended ISO 8601 format, when the custom data identifier was created.
The custom description of the custom data identifier.
The unique identifier for the custom data identifier.
The custom name of the custom data identifier.
A token to resume pagination.
Macie2.Paginator.ListFindings¶paginator = client.get_paginator('list_findings')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_findings().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
findingCriteria={
'criterion': {
'string': {
'eq': [
'string',
],
'eqExactMatch': [
'string',
],
'gt': 123,
'gte': 123,
'lt': 123,
'lte': 123,
'neq': [
'string',
]
}
}
},
sortCriteria={
'attributeName': 'string',
'orderBy': 'ASC'|'DESC'
},
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
The criteria to use to filter the results.
A condition that specifies the property, operator, and one or more values to use to filter the results.
Specifies the operator to use in a property-based condition that filters the results of a query for findings. For detailed information and examples of each operator, see Fundamentals of filtering findings in the Amazon Macie User Guide .
The value for the property matches (equals) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
The value for the property exclusively matches (equals an exact match for) all the specified values. If you specify multiple values, Amazon Macie uses AND logic to join the values.
You can use this operator with the following properties: customDataIdentifiers.detections.arn, customDataIdentifiers.detections.name, resourcesAffected.s3Bucket.tags.key, resourcesAffected.s3Bucket.tags.value, resourcesAffected.s3Object.tags.key, resourcesAffected.s3Object.tags.value, sensitiveData.category, and sensitiveData.detections.type.
The value for the property is greater than the specified value.
The value for the property is greater than or equal to the specified value.
The value for the property is less than the specified value.
The value for the property is less than or equal to the specified value.
The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
The criteria to use to sort the results.
The name of the property to sort the results by. This value can be the name of any property that Amazon Macie defines for a finding.
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'findingIds': [
'string',
],
'NextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
findingIds (list) --
An array of strings, where each string is the unique identifier for a finding that matches the filter criteria specified in the request.
NextToken (string) --
A token to resume pagination.
Macie2.Paginator.ListFindingsFilters¶paginator = client.get_paginator('list_findings_filters')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_findings_filters().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'findingsFilterListItems': [
{
'action': 'ARCHIVE'|'NOOP',
'arn': 'string',
'id': 'string',
'name': 'string',
'tags': {
'string': 'string'
}
},
],
'NextToken': 'string'
}
Response Structure
The request succeeded.
An array of objects, one for each filter that's associated with the account.
Provides information about a findings filter.
The action that's performed on findings that match the filter criteria. Possible values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.
The Amazon Resource Name (ARN) of the filter.
The unique identifier for the filter.
The custom name of the filter.
A map of key-value pairs that specifies which tags (keys and values) are associated with the filter.
A token to resume pagination.
Macie2.Paginator.ListInvitations¶paginator = client.get_paginator('list_invitations')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_invitations().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'invitations': [
{
'accountId': 'string',
'invitationId': 'string',
'invitedAt': datetime(2015, 1, 1),
'relationshipStatus': 'Enabled'|'Paused'|'Invited'|'Created'|'Removed'|'Resigned'|'EmailVerificationInProgress'|'EmailVerificationFailed'|'RegionDisabled'|'AccountSuspended'
},
],
'NextToken': 'string'
}
Response Structure
The request succeeded.
An array of objects, one for each invitation that was received by the account.
Provides information about an Amazon Macie membership invitation.
The Amazon Web Services account ID for the account that sent the invitation.
The unique identifier for the invitation.
The date and time, in UTC and extended ISO 8601 format, when the invitation was sent.
The status of the relationship between the account that sent the invitation and the account that received the invitation.
A token to resume pagination.
Macie2.Paginator.ListManagedDataIdentifiers¶paginator = client.get_paginator('list_managed_data_identifiers')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_managed_data_identifiers().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'items': [
{
'category': 'FINANCIAL_INFORMATION'|'PERSONAL_INFORMATION'|'CREDENTIALS'|'CUSTOM_IDENTIFIER',
'id': 'string'
},
],
'NextToken': 'string'
}
Response Structure
The request succeeded.
An array of objects, one for each managed data identifier.
Provides information about a managed data identifier. For additional information, see Using managed data identifiers in the Amazon Macie User Guide .
The category of sensitive data that the managed data identifier detects: CREDENTIALS, for credentials data such as private keys or Amazon Web Services secret access keys; FINANCIAL_INFORMATION, for financial data such as credit card numbers; or, PERSONAL_INFORMATION, for personal health information, such as health insurance identification numbers, or personally identifiable information, such as passport numbers.
The unique identifier for the managed data identifier. This is a string that describes the type of sensitive data that the managed data identifier detects. For example: OPENSSH_PRIVATE_KEY for OpenSSH private keys, CREDIT_CARD_NUMBER for credit card numbers, or USA_PASSPORT_NUMBER for US passport numbers.
A token to resume pagination.
Macie2.Paginator.ListMembers¶paginator = client.get_paginator('list_members')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_members().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
onlyAssociated='string',
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'members': [
{
'accountId': 'string',
'administratorAccountId': 'string',
'arn': 'string',
'email': 'string',
'invitedAt': datetime(2015, 1, 1),
'masterAccountId': 'string',
'relationshipStatus': 'Enabled'|'Paused'|'Invited'|'Created'|'Removed'|'Resigned'|'EmailVerificationInProgress'|'EmailVerificationFailed'|'RegionDisabled'|'AccountSuspended',
'tags': {
'string': 'string'
},
'updatedAt': datetime(2015, 1, 1)
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
members (list) --
An array of objects, one for each account that's associated with the administrator account and matches the criteria specified in the request.
(dict) --
Provides information about an account that's associated with an Amazon Macie administrator account.
accountId (string) --
The Amazon Web Services account ID for the account.
administratorAccountId (string) --
The Amazon Web Services account ID for the administrator account.
arn (string) --
The Amazon Resource Name (ARN) of the account.
email (string) --
The email address for the account. This value is null if the account is associated with the administrator account through Organizations.
invitedAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, when an Amazon Macie membership invitation was last sent to the account. This value is null if a Macie membership invitation hasn't been sent to the account.
masterAccountId (string) --
(Deprecated) The Amazon Web Services account ID for the administrator account. This property has been replaced by the administratorAccountId property and is retained only for backward compatibility.
relationshipStatus (string) --
The current status of the relationship between the account and the administrator account.
tags (dict) --
A map of key-value pairs that specifies which tags (keys and values) are associated with the account in Amazon Macie.
updatedAt (datetime) --
The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the relationship between the account and the administrator account.
NextToken (string) --
A token to resume pagination.
Macie2.Paginator.ListOrganizationAdminAccounts¶paginator = client.get_paginator('list_organization_admin_accounts')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_organization_admin_accounts().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'adminAccounts': [
{
'accountId': 'string',
'status': 'ENABLED'|'DISABLING_IN_PROGRESS'
},
],
'NextToken': 'string'
}
Response Structure
The request succeeded.
An array of objects, one for each delegated Amazon Macie administrator account for the organization. Only one of these accounts can have a status of ENABLED.
Provides information about the delegated Amazon Macie administrator account for an organization in Organizations.
The Amazon Web Services account ID for the account.
The current status of the account as the delegated Amazon Macie administrator account for the organization.
A token to resume pagination.
Macie2.Paginator.ListResourceProfileArtifacts¶paginator = client.get_paginator('list_resource_profile_artifacts')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_resource_profile_artifacts().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
resourceArn='string',
PaginationConfig={
'MaxItems': 123,
'StartingToken': 'string'
}
)
[REQUIRED]
The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'artifacts': [
{
'arn': 'string',
'classificationResultStatus': 'string',
'sensitive': True|False
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
artifacts (list) --
An array of objects, one for each of 1-100 S3 objects that Amazon Macie selected for analysis.
If Macie has analyzed more than 100 objects in the bucket, Macie populates the array based on the value for the ResourceProfileArtifact.sensitive field for an object: true (sensitive), followed by false (not sensitive). Macie then populates any remaining items in the array with information about objects where the value for the ResourceProfileArtifact.classificationResultStatus field is SKIPPED.
(dict) --
Provides information about an S3 object that Amazon Macie selected for analysis while performing automated sensitive data discovery for an S3 bucket, and the status and results of the analysis. This information is available only if automated sensitive data discovery is currently enabled for your account.
arn (string) --
The Amazon Resource Name (ARN) of the object.
classificationResultStatus (string) --
The status of the analysis. Possible values are:
sensitive (boolean) --
Specifies whether Amazon Macie found sensitive data in the object.
NextToken (string) --
A token to resume pagination.
Macie2.Paginator.ListResourceProfileDetections¶paginator = client.get_paginator('list_resource_profile_detections')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_resource_profile_detections().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
resourceArn='string',
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
[REQUIRED]
The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'detections': [
{
'arn': 'string',
'count': 123,
'id': 'string',
'name': 'string',
'suppressed': True|False,
'type': 'CUSTOM'|'MANAGED'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
detections (list) --
An array of objects, one for each type of sensitive data that Amazon Macie found in the bucket. Each object reports the number of occurrences of the specified type and provides information about the custom data identifier or managed data identifier that detected the data.
(dict) --
Provides information about a type of sensitive data that Amazon Macie found in an S3 bucket while performing automated sensitive data discovery for the bucket. The information also specifies the custom data identifier or managed data identifier that detected the data. This information is available only if automated sensitive data discovery is currently enabled for your account.
arn (string) --
If the sensitive data was detected by a custom data identifier, the Amazon Resource Name (ARN) of the custom data identifier that detected the data. Otherwise, this value is null.
count (integer) --
The total number of occurrences of the sensitive data.
id (string) --
The unique identifier for the custom data identifier or managed data identifier that detected the sensitive data. For additional details about a specified managed data identifier, see Using managed data identifiers in the Amazon Macie User Guide .
name (string) --
The name of the custom data identifier or managed data identifier that detected the sensitive data. For a managed data identifier, this value is the same as the unique identifier (id).
suppressed (boolean) --
Specifies whether occurrences of this type of sensitive data are excluded (true) or included (false) in the bucket's sensitivity score.
type (string) --
The type of data identifier that detected the sensitive data. Possible values are: CUSTOM, for a custom data identifier; and, MANAGED, for a managed data identifier.
NextToken (string) --
A token to resume pagination.
Macie2.Paginator.ListSensitivityInspectionTemplates¶paginator = client.get_paginator('list_sensitivity_inspection_templates')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.list_sensitivity_inspection_templates().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'sensitivityInspectionTemplates': [
{
'id': 'string',
'name': 'string'
},
],
'NextToken': 'string'
}
Response Structure
The request succeeded.
An array that specifies the unique identifier and name of the sensitivity inspection template for the account.
Provides information about the sensitivity inspection template for an Amazon Macie account. Macie uses the template's settings when it performs automated sensitive data discovery for the account.
The unique identifier for the sensitivity inspection template for the account.
The name of the sensitivity inspection template for the account: automated-sensitive-data-discovery.
A token to resume pagination.
Macie2.Paginator.SearchResources¶paginator = client.get_paginator('search_resources')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from Macie2.Client.search_resources().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
bucketCriteria={
'excludes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'NE',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'NE',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
},
'includes': {
'and': [
{
'simpleCriterion': {
'comparator': 'EQ'|'NE',
'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS',
'values': [
'string',
]
},
'tagCriterion': {
'comparator': 'EQ'|'NE',
'tagValues': [
{
'key': 'string',
'value': 'string'
},
]
}
},
]
}
},
sortCriteria={
'attributeName': 'ACCOUNT_ID'|'RESOURCE_NAME'|'S3_CLASSIFIABLE_OBJECT_COUNT'|'S3_CLASSIFIABLE_SIZE_IN_BYTES',
'orderBy': 'ASC'|'DESC'
},
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
The filter conditions that determine which S3 buckets to include or exclude from the query results.
The property- and tag-based conditions that determine which buckets to exclude from the results.
An array of objects, one for each property- or tag-based condition that includes or excludes resources from the query results. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based filter condition for including or excluding Amazon Web Services resources from the query results.
A property-based condition that defines a property, operator, and one or more values for including or excluding resources from the results.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The property to use in the condition.
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in values.
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding resources from the results.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The tag keys, tag values, or tag key and value pairs to use in the condition.
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based filter condition for a query. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based filter conditions.
The value for the tag key to use in the condition.
The tag value to use in the condition.
The property- and tag-based conditions that determine which buckets to include in the results.
An array of objects, one for each property- or tag-based condition that includes or excludes resources from the query results. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.
Specifies a property- or tag-based filter condition for including or excluding Amazon Web Services resources from the query results.
A property-based condition that defines a property, operator, and one or more values for including or excluding resources from the results.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The property to use in the condition.
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in values.
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding resources from the results.
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
The tag keys, tag values, or tag key and value pairs to use in the condition.
Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based filter condition for a query. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based filter conditions.
The value for the tag key to use in the condition.
The tag value to use in the condition.
The criteria to use to sort the results.
The property to sort the results by.
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'matchingResources': [
{
'matchingBucket': {
'accountId': 'string',
'bucketName': 'string',
'classifiableObjectCount': 123,
'classifiableSizeInBytes': 123,
'errorCode': 'ACCESS_DENIED',
'errorMessage': 'string',
'jobDetails': {
'isDefinedInJob': 'TRUE'|'FALSE'|'UNKNOWN',
'isMonitoredByJob': 'TRUE'|'FALSE'|'UNKNOWN',
'lastJobId': 'string',
'lastJobRunTime': datetime(2015, 1, 1)
},
'lastAutomatedDiscoveryTime': datetime(2015, 1, 1),
'objectCount': 123,
'objectCountByEncryptionType': {
'customerManaged': 123,
'kmsManaged': 123,
's3Managed': 123,
'unencrypted': 123,
'unknown': 123
},
'sensitivityScore': 123,
'sizeInBytes': 123,
'sizeInBytesCompressed': 123,
'unclassifiableObjectCount': {
'fileType': 123,
'storageClass': 123,
'total': 123
},
'unclassifiableObjectSizeInBytes': {
'fileType': 123,
'storageClass': 123,
'total': 123
}
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
The request succeeded.
matchingResources (list) --
An array of objects, one for each resource that matches the filter criteria specified in the request.
(dict) --
Provides statistical data and other information about an Amazon Web Services resource that Amazon Macie monitors and analyzes for your account.
matchingBucket (dict) --
The details of an S3 bucket that Amazon Macie monitors and analyzes.
accountId (string) --
The unique identifier for the Amazon Web Services account that owns the bucket.
bucketName (string) --
The name of the bucket.
classifiableObjectCount (integer) --
The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
classifiableSizeInBytes (integer) --
The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
errorCode (string) --
The error code for an error that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. If this value is ACCESS_DENIED, Macie doesn't have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request. If this value is null, Macie was able to retrieve and process the information.
errorMessage (string) --
A brief description of the error (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. This value is null if Macie was able to retrieve and process the information.
jobDetails (dict) --
Specifies whether any one-time or recurring classification jobs are configured to analyze objects in the bucket, and, if so, the details of the job that ran most recently.
isDefinedInJob (string) --
Specifies whether any one-time or recurring jobs are configured to analyze data in the bucket. Possible values are:
isMonitoredByJob (string) --
Specifies whether any recurring jobs are configured to analyze data in the bucket. Possible values are:
lastJobId (string) --
The unique identifier for the job that ran most recently and is configured to analyze data in the bucket, either the latest run of a recurring job or the only run of a one-time job.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
lastJobRunTime (datetime) --
The date and time, in UTC and extended ISO 8601 format, when the job (lastJobId) started. If the job is a recurring job, this value indicates when the most recent run started.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
lastAutomatedDiscoveryTime (datetime) --
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed data in the bucket while performing automated sensitive data discovery for your account. This value is null if automated sensitive data discovery is currently disabled for your account.
objectCount (integer) --
The total number of objects in the bucket.
objectCountByEncryptionType (dict) --
The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren't encrypted or use client-side encryption.
customerManaged (integer) --
The total number of objects that are encrypted with a customer-provided key. The objects use customer-provided server-side encryption (SSE-C).
kmsManaged (integer) --
The total number of objects that are encrypted with an KMS key, either an Amazon Web Services managed key or a customer managed key. The objects use KMS encryption (SSE-KMS).
s3Managed (integer) --
The total number of objects that are encrypted with an Amazon S3 managed key. The objects use Amazon S3 managed encryption (SSE-S3).
unencrypted (integer) --
The total number of objects that aren't encrypted or use client-side encryption.
unknown (integer) --
The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.
sensitivityScore (integer) --
The current sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive). This value is null if automated sensitive data discovery is currently disabled for your account.
sizeInBytes (integer) --
The total storage size, in bytes, of the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.
sizeInBytesCompressed (integer) --
The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
unclassifiableObjectCount (dict) --
The total number of objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
fileType (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
storageClass (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
total (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
unclassifiableObjectSizeInBytes (dict) --
The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
fileType (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
storageClass (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
total (integer) --
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
NextToken (string) --
A token to resume pagination.
The available waiters are:
Macie2.Waiter.FindingRevealed¶waiter = client.get_waiter('finding_revealed')
wait(**kwargs)¶Polls Macie2.Client.get_sensitive_data_occurrences() every 2 seconds until a successful state is reached. An error is returned after 60 failed checks.
See also: AWS API Documentation
Request Syntax
waiter.wait(
findingId='string',
WaiterConfig={
'Delay': 123,
'MaxAttempts': 123
}
)
[REQUIRED]
The unique identifier for the finding.
A dictionary that provides parameters to control waiting behavior.
The amount of time in seconds to wait between attempts. Default: 2
The maximum number of attempts to be made. Default: 60
None