describe_buckets

describe_buckets(**kwargs)

Retrieves (queries) statistical data and other information about one or more S3 buckets that Amazon Macie monitors and analyzes for an account.

See also: AWS API Documentation

Request Syntax

response = client.describe_buckets(
    criteria={
        'string': {
            'eq': [
                'string',
            ],
            'gt': 123,
            'gte': 123,
            'lt': 123,
            'lte': 123,
            'neq': [
                'string',
            ],
            'prefix': 'string'
        }
    },
    maxResults=123,
    nextToken='string',
    sortCriteria={
        'attributeName': 'string',
        'orderBy': 'ASC'|'DESC'
    }
)
Parameters
  • criteria (dict) --

    The criteria to use to filter the query results.

    • (string) --
      • (dict) --

        Specifies the operator to use in a property-based condition that filters the results of a query for information about S3 buckets.

        • eq (list) --

          The value for the property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.

          • (string) --
        • gt (integer) --

          The value for the property is greater than the specified value.

        • gte (integer) --

          The value for the property is greater than or equal to the specified value.

        • lt (integer) --

          The value for the property is less than the specified value.

        • lte (integer) --

          The value for the property is less than or equal to the specified value.

        • neq (list) --

          The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.

          • (string) --
        • prefix (string) --

          The name of the bucket begins with the specified value.

  • maxResults (integer) -- The maximum number of items to include in each page of the response. The default value is 50.
  • nextToken (string) -- The nextToken string that specifies which page of results to return in a paginated response.
  • sortCriteria (dict) --

    The criteria to use to sort the query results.

    • attributeName (string) --

      The name of the bucket property to sort the results by. This value can be one of the following properties that Amazon Macie defines as bucket metadata: accountId, bucketName, classifiableObjectCount, classifiableSizeInBytes, objectCount, sensitivityScore, or sizeInBytes.

    • orderBy (string) --

      The sort order to apply to the results, based on the value specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.

Return type

dict

Returns

Response Syntax

{
    'buckets': [
        {
            'accountId': 'string',
            'allowsUnencryptedObjectUploads': 'TRUE'|'FALSE'|'UNKNOWN',
            'bucketArn': 'string',
            'bucketCreatedAt': datetime(2015, 1, 1),
            'bucketName': 'string',
            'classifiableObjectCount': 123,
            'classifiableSizeInBytes': 123,
            'errorCode': 'ACCESS_DENIED',
            'errorMessage': 'string',
            'jobDetails': {
                'isDefinedInJob': 'TRUE'|'FALSE'|'UNKNOWN',
                'isMonitoredByJob': 'TRUE'|'FALSE'|'UNKNOWN',
                'lastJobId': 'string',
                'lastJobRunTime': datetime(2015, 1, 1)
            },
            'lastAutomatedDiscoveryTime': datetime(2015, 1, 1),
            'lastUpdated': datetime(2015, 1, 1),
            'objectCount': 123,
            'objectCountByEncryptionType': {
                'customerManaged': 123,
                'kmsManaged': 123,
                's3Managed': 123,
                'unencrypted': 123,
                'unknown': 123
            },
            'publicAccess': {
                'effectivePermission': 'PUBLIC'|'NOT_PUBLIC'|'UNKNOWN',
                'permissionConfiguration': {
                    'accountLevelPermissions': {
                        'blockPublicAccess': {
                            'blockPublicAcls': True|False,
                            'blockPublicPolicy': True|False,
                            'ignorePublicAcls': True|False,
                            'restrictPublicBuckets': True|False
                        }
                    },
                    'bucketLevelPermissions': {
                        'accessControlList': {
                            'allowsPublicReadAccess': True|False,
                            'allowsPublicWriteAccess': True|False
                        },
                        'blockPublicAccess': {
                            'blockPublicAcls': True|False,
                            'blockPublicPolicy': True|False,
                            'ignorePublicAcls': True|False,
                            'restrictPublicBuckets': True|False
                        },
                        'bucketPolicy': {
                            'allowsPublicReadAccess': True|False,
                            'allowsPublicWriteAccess': True|False
                        }
                    }
                }
            },
            'region': 'string',
            'replicationDetails': {
                'replicated': True|False,
                'replicatedExternally': True|False,
                'replicationAccounts': [
                    'string',
                ]
            },
            'sensitivityScore': 123,
            'serverSideEncryption': {
                'kmsMasterKeyId': 'string',
                'type': 'NONE'|'AES256'|'aws:kms'
            },
            'sharedAccess': 'EXTERNAL'|'INTERNAL'|'NOT_SHARED'|'UNKNOWN',
            'sizeInBytes': 123,
            'sizeInBytesCompressed': 123,
            'tags': [
                {
                    'key': 'string',
                    'value': 'string'
                },
            ],
            'unclassifiableObjectCount': {
                'fileType': 123,
                'storageClass': 123,
                'total': 123
            },
            'unclassifiableObjectSizeInBytes': {
                'fileType': 123,
                'storageClass': 123,
                'total': 123
            },
            'versioning': True|False
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    The request succeeded.

    • buckets (list) --

      An array of objects, one for each bucket that matches the filter criteria specified in the request.

      • (dict) --

        Provides statistical data and other information about an S3 bucket that Amazon Macie monitors and analyzes for your account. By default, object count and storage size values include data for object parts that are the result of incomplete multipart uploads. For more information, see How Macie monitors Amazon S3 data security in the Amazon Macie User Guide .

        If an error occurs when Macie attempts to retrieve and process metadata from Amazon S3 for the bucket or the bucket's objects, the value for the versioning property is false and the value for most other properties is null. Key exceptions are accountId, bucketArn, bucketCreatedAt, bucketName, lastUpdated, and region. To identify the cause of the error, refer to the errorCode and errorMessage values.

        • accountId (string) --

          The unique identifier for the Amazon Web Services account that owns the bucket.

        • allowsUnencryptedObjectUploads (string) --

          Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are uploaded to the bucket. Possible values are:

          • FALSE - The bucket policy requires server-side encryption of new objects. PutObject requests must include a valid server-side encryption header.
          • TRUE - The bucket doesn't have a bucket policy or it has a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, it doesn't require PutObject requests to include a valid server-side encryption header.
          • UNKNOWN - Amazon Macie can't determine whether the bucket policy requires server-side encryption of new objects.

          Valid server-side encryption headers are: x-amz-server-side-encryption with a value of AES256 or aws:kms, and x-amz-server-side-encryption-customer-algorithm with a value of AES256.

        • bucketArn (string) --

          The Amazon Resource Name (ARN) of the bucket.

        • bucketCreatedAt (datetime) --

          The date and time, in UTC and extended ISO 8601 format, when the bucket was created. This value can also indicate when changes such as edits to the bucket's policy were most recently made to the bucket.

        • bucketName (string) --

          The name of the bucket.

        • classifiableObjectCount (integer) --

          The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.

        • classifiableSizeInBytes (integer) --

          The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.

          If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.

        • errorCode (string) --

          The error code for an error that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. If this value is ACCESS_DENIED, Macie doesn't have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request. If this value is null, Macie was able to retrieve and process the information.

        • errorMessage (string) --

          A brief description of the error (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. This value is null if Macie was able to retrieve and process the information.

        • jobDetails (dict) --

          Specifies whether any one-time or recurring classification jobs are configured to analyze data in the bucket, and, if so, the details of the job that ran most recently.

          • isDefinedInJob (string) --

            Specifies whether any one-time or recurring jobs are configured to analyze data in the bucket. Possible values are:

            • TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more jobs and at least one of those jobs has a status other than CANCELLED. Or the bucket matched the bucket criteria (S3BucketCriteriaForJob) for at least one job that previously ran.
            • FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any jobs, all the jobs that explicitly include the bucket in their bucket definitions have a status of CANCELLED, or the bucket didn't match the bucket criteria (S3BucketCriteriaForJob) for any jobs that previously ran.
            • UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.
          • isMonitoredByJob (string) --

            Specifies whether any recurring jobs are configured to analyze data in the bucket. Possible values are:

            • TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more recurring jobs or the bucket matches the bucket criteria (S3BucketCriteriaForJob) for one or more recurring jobs. At least one of those jobs has a status other than CANCELLED.
            • FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any recurring jobs, the bucket doesn't match the bucket criteria (S3BucketCriteriaForJob) for any recurring jobs, or all the recurring jobs that are configured to analyze data in the bucket have a status of CANCELLED.
            • UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.
          • lastJobId (string) --

            The unique identifier for the job that ran most recently and is configured to analyze data in the bucket, either the latest run of a recurring job or the only run of a one-time job.

            This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.

          • lastJobRunTime (datetime) --

            The date and time, in UTC and extended ISO 8601 format, when the job (lastJobId) started. If the job is a recurring job, this value indicates when the most recent run started.

            This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.

        • lastAutomatedDiscoveryTime (datetime) --

          The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed data in the bucket while performing automated sensitive data discovery for your account. This value is null if automated sensitive data discovery is currently disabled for your account.

        • lastUpdated (datetime) --

          The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved bucket or object metadata from Amazon S3 for the bucket.

        • objectCount (integer) --

          The total number of objects in the bucket.

        • objectCountByEncryptionType (dict) --

          The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren't encrypted or use client-side encryption.

          • customerManaged (integer) --

            The total number of objects that are encrypted with a customer-provided key. The objects use customer-provided server-side encryption (SSE-C).

          • kmsManaged (integer) --

            The total number of objects that are encrypted with an KMS key, either an Amazon Web Services managed key or a customer managed key. The objects use KMS encryption (SSE-KMS).

          • s3Managed (integer) --

            The total number of objects that are encrypted with an Amazon S3 managed key. The objects use Amazon S3 managed encryption (SSE-S3).

          • unencrypted (integer) --

            The total number of objects that aren't encrypted or use client-side encryption.

          • unknown (integer) --

            The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.

        • publicAccess (dict) --

          Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket, and provides information about those settings.

          • effectivePermission (string) --

            Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket. Possible values are:

            • NOT_PUBLIC - The bucket isn't publicly accessible.
            • PUBLIC - The bucket is publicly accessible.
            • UNKNOWN - Amazon Macie can't determine whether the bucket is publicly accessible.
          • permissionConfiguration (dict) --

            The account-level and bucket-level permissions settings for the bucket.

            • accountLevelPermissions (dict) --

              The account-level permissions settings that apply to the bucket.

              • blockPublicAccess (dict) --

                The block public access settings for the Amazon Web Services account that owns the bucket.

                • blockPublicAcls (boolean) --

                  Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.

                • blockPublicPolicy (boolean) --

                  Specifies whether Amazon S3 blocks public bucket policies for the bucket.

                • ignorePublicAcls (boolean) --

                  Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.

                • restrictPublicBuckets (boolean) --

                  Specifies whether Amazon S3 restricts public bucket policies for the bucket.

            • bucketLevelPermissions (dict) --

              The bucket-level permissions settings for the bucket.

              • accessControlList (dict) --

                The permissions settings of the access control list (ACL) for the bucket. This value is null if an ACL hasn't been defined for the bucket.

                • allowsPublicReadAccess (boolean) --

                  Specifies whether the ACL grants the general public with read access permissions for the bucket.

                • allowsPublicWriteAccess (boolean) --

                  Specifies whether the ACL grants the general public with write access permissions for the bucket.

              • blockPublicAccess (dict) --

                The block public access settings for the bucket.

                • blockPublicAcls (boolean) --

                  Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.

                • blockPublicPolicy (boolean) --

                  Specifies whether Amazon S3 blocks public bucket policies for the bucket.

                • ignorePublicAcls (boolean) --

                  Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.

                • restrictPublicBuckets (boolean) --

                  Specifies whether Amazon S3 restricts public bucket policies for the bucket.

              • bucketPolicy (dict) --

                The permissions settings of the bucket policy for the bucket. This value is null if a bucket policy hasn't been defined for the bucket.

                • allowsPublicReadAccess (boolean) --

                  Specifies whether the bucket policy allows the general public to have read access to the bucket.

                • allowsPublicWriteAccess (boolean) --

                  Specifies whether the bucket policy allows the general public to have write access to the bucket.

        • region (string) --

          The Amazon Web Services Region that hosts the bucket.

        • replicationDetails (dict) --

          Specifies whether the bucket is configured to replicate one or more objects to buckets for other Amazon Web Services accounts and, if so, which accounts.

          • replicated (boolean) --

            Specifies whether the bucket is configured to replicate one or more objects to any destination.

          • replicatedExternally (boolean) --

            Specifies whether the bucket is configured to replicate one or more objects to a bucket for an Amazon Web Services account that isn't part of your Amazon Macie organization. An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.

          • replicationAccounts (list) --

            An array of Amazon Web Services account IDs, one for each Amazon Web Services account that owns a bucket that the bucket is configured to replicate one or more objects to.

            • (string) --
        • sensitivityScore (integer) --

          The sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive). This value is null if automated sensitive data discovery is currently disabled for your account.

        • serverSideEncryption (dict) --

          Specifies whether the bucket encrypts new objects by default and, if so, the type of server-side encryption that's used.

          • kmsMasterKeyId (string) --

            The Amazon Resource Name (ARN) or unique identifier (key ID) for the KMS key that's used by default to encrypt objects that are added to the bucket. This value is null if the bucket uses an Amazon S3 managed key to encrypt new objects or the bucket doesn't encrypt new objects by default.

          • type (string) --

            The type of server-side encryption that's used by default when storing new objects in the bucket. Possible values are:

            • AES256 - New objects are encrypted with an Amazon S3 managed key. They use SSE-S3 encryption.
            • aws:kms - New objects are encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key. They use SSE-KMS encryption.
            • NONE - New objects aren't encrypted by default. Default encryption is disabled for the bucket.
        • sharedAccess (string) --

          Specifies whether the bucket is shared with another Amazon Web Services account, an Amazon CloudFront origin access identity (OAI), or a CloudFront origin access control (OAC). Possible values are:

          • EXTERNAL - The bucket is shared with one or more of the following or any combination of the following: an Amazon Web Services account that isn't part of your Amazon Macie organization, a CloudFront OAI, or a CloudFront OAC.
          • INTERNAL - The bucket is shared with one or more Amazon Web Services accounts that are part of your Amazon Macie organization. It isn't shared with a CloudFront OAI or OAC.
          • NOT_SHARED - The bucket isn't shared with another Amazon Web Services account, a CloudFront OAI, or a CloudFront OAC.
          • UNKNOWN - Amazon Macie wasn't able to evaluate the shared access settings for the bucket.

          An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.

        • sizeInBytes (integer) --

          The total storage size, in bytes, of the bucket.

          If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.

        • sizeInBytesCompressed (integer) --

          The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.

          If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.

        • tags (list) --

          An array that specifies the tags (keys and values) that are associated with the bucket.

          • (dict) --

            Provides information about the tags that are associated with an S3 bucket or object. Each tag consists of a required tag key and an associated tag value.

            • key (string) --

              One part of a key-value pair that comprises a tag. A tag key is a general label that acts as a category for more specific tag values.

            • value (string) --

              One part of a key-value pair that comprises a tag. A tag value acts as a descriptor for a tag key. A tag value can be an empty string.

        • unclassifiableObjectCount (dict) --

          The total number of objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

          • fileType (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.

          • storageClass (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.

          • total (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.

        • unclassifiableObjectSizeInBytes (dict) --

          The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

          • fileType (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.

          • storageClass (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.

          • total (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.

        • versioning (boolean) --

          Specifies whether versioning is enabled for the bucket.

    • nextToken (string) --

      The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

Exceptions

  • Macie2.Client.exceptions.ValidationException
  • Macie2.Client.exceptions.InternalServerException
  • Macie2.Client.exceptions.ServiceQuotaExceededException
  • Macie2.Client.exceptions.AccessDeniedException
  • Macie2.Client.exceptions.ResourceNotFoundException
  • Macie2.Client.exceptions.ThrottlingException
  • Macie2.Client.exceptions.ConflictException