Macie2 / Client / describe_buckets

describe_buckets#

Macie2.Client.describe_buckets(**kwargs)#

Retrieves (queries) statistical data and other information about one or more S3 buckets that Amazon Macie monitors and analyzes for an account.

See also: AWS API Documentation

Request Syntax

response = client.describe_buckets(
    criteria={
        'string': {
            'eq': [
                'string',
            ],
            'gt': 123,
            'gte': 123,
            'lt': 123,
            'lte': 123,
            'neq': [
                'string',
            ],
            'prefix': 'string'
        }
    },
    maxResults=123,
    nextToken='string',
    sortCriteria={
        'attributeName': 'string',
        'orderBy': 'ASC'|'DESC'
    }
)
Parameters:
  • criteria (dict) –

    The criteria to use to filter the query results.

    • (string) –

      • (dict) –

        Specifies the operator to use in a property-based condition that filters the results of a query for information about S3 buckets.

        • eq (list) –

          The value for the property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.

          • (string) –

        • gt (integer) –

          The value for the property is greater than the specified value.

        • gte (integer) –

          The value for the property is greater than or equal to the specified value.

        • lt (integer) –

          The value for the property is less than the specified value.

        • lte (integer) –

          The value for the property is less than or equal to the specified value.

        • neq (list) –

          The value for the property doesn’t match (doesn’t equal) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.

          • (string) –

        • prefix (string) –

          The name of the bucket begins with the specified value.

  • maxResults (integer) – The maximum number of items to include in each page of the response. The default value is 50.

  • nextToken (string) – The nextToken string that specifies which page of results to return in a paginated response.

  • sortCriteria (dict) –

    The criteria to use to sort the query results.

    • attributeName (string) –

      The name of the bucket property to sort the results by. This value can be one of the following properties that Amazon Macie defines as bucket metadata: accountId, bucketName, classifiableObjectCount, classifiableSizeInBytes, objectCount, sensitivityScore, or sizeInBytes.

    • orderBy (string) –

      The sort order to apply to the results, based on the value specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.

Return type:

dict

Returns:

Response Syntax

{
    'buckets': [
        {
            'accountId': 'string',
            'allowsUnencryptedObjectUploads': 'TRUE'|'FALSE'|'UNKNOWN',
            'automatedDiscoveryMonitoringStatus': 'MONITORED'|'NOT_MONITORED',
            'bucketArn': 'string',
            'bucketCreatedAt': datetime(2015, 1, 1),
            'bucketName': 'string',
            'classifiableObjectCount': 123,
            'classifiableSizeInBytes': 123,
            'errorCode': 'ACCESS_DENIED'|'BUCKET_COUNT_EXCEEDS_QUOTA',
            'errorMessage': 'string',
            'jobDetails': {
                'isDefinedInJob': 'TRUE'|'FALSE'|'UNKNOWN',
                'isMonitoredByJob': 'TRUE'|'FALSE'|'UNKNOWN',
                'lastJobId': 'string',
                'lastJobRunTime': datetime(2015, 1, 1)
            },
            'lastAutomatedDiscoveryTime': datetime(2015, 1, 1),
            'lastUpdated': datetime(2015, 1, 1),
            'objectCount': 123,
            'objectCountByEncryptionType': {
                'customerManaged': 123,
                'kmsManaged': 123,
                's3Managed': 123,
                'unencrypted': 123,
                'unknown': 123
            },
            'publicAccess': {
                'effectivePermission': 'PUBLIC'|'NOT_PUBLIC'|'UNKNOWN',
                'permissionConfiguration': {
                    'accountLevelPermissions': {
                        'blockPublicAccess': {
                            'blockPublicAcls': True|False,
                            'blockPublicPolicy': True|False,
                            'ignorePublicAcls': True|False,
                            'restrictPublicBuckets': True|False
                        }
                    },
                    'bucketLevelPermissions': {
                        'accessControlList': {
                            'allowsPublicReadAccess': True|False,
                            'allowsPublicWriteAccess': True|False
                        },
                        'blockPublicAccess': {
                            'blockPublicAcls': True|False,
                            'blockPublicPolicy': True|False,
                            'ignorePublicAcls': True|False,
                            'restrictPublicBuckets': True|False
                        },
                        'bucketPolicy': {
                            'allowsPublicReadAccess': True|False,
                            'allowsPublicWriteAccess': True|False
                        }
                    }
                }
            },
            'region': 'string',
            'replicationDetails': {
                'replicated': True|False,
                'replicatedExternally': True|False,
                'replicationAccounts': [
                    'string',
                ]
            },
            'sensitivityScore': 123,
            'serverSideEncryption': {
                'kmsMasterKeyId': 'string',
                'type': 'NONE'|'AES256'|'aws:kms'|'aws:kms:dsse'
            },
            'sharedAccess': 'EXTERNAL'|'INTERNAL'|'NOT_SHARED'|'UNKNOWN',
            'sizeInBytes': 123,
            'sizeInBytesCompressed': 123,
            'tags': [
                {
                    'key': 'string',
                    'value': 'string'
                },
            ],
            'unclassifiableObjectCount': {
                'fileType': 123,
                'storageClass': 123,
                'total': 123
            },
            'unclassifiableObjectSizeInBytes': {
                'fileType': 123,
                'storageClass': 123,
                'total': 123
            },
            'versioning': True|False
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) –

    The request succeeded.

    • buckets (list) –

      An array of objects, one for each bucket that matches the filter criteria specified in the request.

      • (dict) –

        Provides statistical data and other information about an S3 bucket that Amazon Macie monitors and analyzes for your account. By default, object count and storage size values include data for object parts that are the result of incomplete multipart uploads. For more information, see How Macie monitors Amazon S3 data security in the Amazon Macie User Guide.

        If an error or issue prevents Macie from retrieving and processing metadata from Amazon S3 for the bucket or the bucket’s objects, the value for the versioning property is false and the value for most other properties is null or UNKNOWN. Key exceptions are accountId, bucketArn, bucketCreatedAt, bucketName, lastUpdated, and region. To identify the cause, refer to the errorCode and errorMessage values.

        • accountId (string) –

          The unique identifier for the Amazon Web Services account that owns the bucket.

        • allowsUnencryptedObjectUploads (string) –

          Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are added to the bucket. Possible values are:

          • FALSE - The bucket policy requires server-side encryption of new objects. PutObject requests must include a valid server-side encryption header.

          • TRUE - The bucket doesn’t have a bucket policy or it has a bucket policy that doesn’t require server-side encryption of new objects. If a bucket policy exists, it doesn’t require PutObject requests to include a valid server-side encryption header.

          • UNKNOWN - Amazon Macie can’t determine whether the bucket policy requires server-side encryption of new objects.

          Valid server-side encryption headers are: x-amz-server-side-encryption with a value of AES256 or aws:kms, and x-amz-server-side-encryption-customer-algorithm with a value of AES256.

        • automatedDiscoveryMonitoringStatus (string) –

          Specifies whether automated sensitive data discovery is currently configured to analyze objects in the bucket. Possible values are: MONITORED, the bucket is included in analyses; and, NOT_MONITORED, the bucket is excluded from analyses. If automated sensitive data discovery is disabled for your account, this value is NOT_MONITORED.

        • bucketArn (string) –

          The Amazon Resource Name (ARN) of the bucket.

        • bucketCreatedAt (datetime) –

          The date and time, in UTC and extended ISO 8601 format, when the bucket was created. This value can also indicate when changes such as edits to the bucket’s policy were most recently made to the bucket.

        • bucketName (string) –

          The name of the bucket.

        • classifiableObjectCount (integer) –

          The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.

        • classifiableSizeInBytes (integer) –

          The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.

          If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn’t reflect the storage size of all versions of each applicable object in the bucket.

        • errorCode (string) –

          The code for an error or issue that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket’s objects. Possible values are:

          • ACCESS_DENIED - Macie doesn’t have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request.

          • BUCKET_COUNT_EXCEEDS_QUOTA - Retrieving and processing the information would exceed the quota for the number of buckets that Macie monitors for an account (10,000).

          If this value is null, Macie was able to retrieve and process the information.

        • errorMessage (string) –

          A brief description of the error or issue (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket’s objects. This value is null if Macie was able to retrieve and process the information.

        • jobDetails (dict) –

          Specifies whether any one-time or recurring classification jobs are configured to analyze objects in the bucket, and, if so, the details of the job that ran most recently.

          • isDefinedInJob (string) –

            Specifies whether any one-time or recurring jobs are configured to analyze objects in the bucket. Possible values are:

            • TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more jobs and at least one of those jobs has a status other than CANCELLED. Or the bucket matched the bucket criteria (S3BucketCriteriaForJob) for at least one job that previously ran.

            • FALSE - The bucket isn’t explicitly included in the bucket definition (S3BucketDefinitionForJob) for any jobs, all the jobs that explicitly include the bucket in their bucket definitions have a status of CANCELLED, or the bucket didn’t match the bucket criteria (S3BucketCriteriaForJob) for any jobs that previously ran.

            • UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.

          • isMonitoredByJob (string) –

            Specifies whether any recurring jobs are configured to analyze objects in the bucket. Possible values are:

            • TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more recurring jobs or the bucket matches the bucket criteria (S3BucketCriteriaForJob) for one or more recurring jobs. At least one of those jobs has a status other than CANCELLED.

            • FALSE - The bucket isn’t explicitly included in the bucket definition (S3BucketDefinitionForJob) for any recurring jobs, the bucket doesn’t match the bucket criteria (S3BucketCriteriaForJob) for any recurring jobs, or all the recurring jobs that are configured to analyze data in the bucket have a status of CANCELLED.

            • UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.

          • lastJobId (string) –

            The unique identifier for the job that ran most recently and is configured to analyze objects in the bucket, either the latest run of a recurring job or the only run of a one-time job.

            This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.

          • lastJobRunTime (datetime) –

            The date and time, in UTC and extended ISO 8601 format, when the job (lastJobId) started. If the job is a recurring job, this value indicates when the most recent run started.

            This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.

        • lastAutomatedDiscoveryTime (datetime) –

          The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed objects in the bucket while performing automated sensitive data discovery. This value is null if this analysis hasn’t occurred.

        • lastUpdated (datetime) –

          The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved bucket or object metadata from Amazon S3 for the bucket.

        • objectCount (integer) –

          The total number of objects in the bucket.

        • objectCountByEncryptionType (dict) –

          The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren’t encrypted or use client-side encryption.

          • customerManaged (integer) –

            The total number of objects that are encrypted with customer-provided keys. The objects use server-side encryption with customer-provided keys (SSE-C).

          • kmsManaged (integer) –

            The total number of objects that are encrypted with KMS keys, either Amazon Web Services managed keys or customer managed keys. The objects use dual-layer server-side encryption or server-side encryption with KMS keys (DSSE-KMS or SSE-KMS).

          • s3Managed (integer) –

            The total number of objects that are encrypted with Amazon S3 managed keys. The objects use server-side encryption with Amazon S3 managed keys (SSE-S3).

          • unencrypted (integer) –

            The total number of objects that use client-side encryption or aren’t encrypted.

          • unknown (integer) –

            The total number of objects that Amazon Macie doesn’t have current encryption metadata for. Macie can’t provide current data about the encryption settings for these objects.

        • publicAccess (dict) –

          Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket, and provides information about those settings.

          • effectivePermission (string) –

            Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket. Possible values are:

            • NOT_PUBLIC - The bucket isn’t publicly accessible.

            • PUBLIC - The bucket is publicly accessible.

            • UNKNOWN - Amazon Macie can’t determine whether the bucket is publicly accessible.

          • permissionConfiguration (dict) –

            The account-level and bucket-level permissions settings for the bucket.

            • accountLevelPermissions (dict) –

              The account-level permissions settings that apply to the bucket.

              • blockPublicAccess (dict) –

                The block public access settings for the Amazon Web Services account that owns the bucket.

                • blockPublicAcls (boolean) –

                  Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.

                • blockPublicPolicy (boolean) –

                  Specifies whether Amazon S3 blocks public bucket policies for the bucket.

                • ignorePublicAcls (boolean) –

                  Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.

                • restrictPublicBuckets (boolean) –

                  Specifies whether Amazon S3 restricts public bucket policies for the bucket.

            • bucketLevelPermissions (dict) –

              The bucket-level permissions settings for the bucket.

              • accessControlList (dict) –

                The permissions settings of the access control list (ACL) for the bucket. This value is null if an ACL hasn’t been defined for the bucket.

                • allowsPublicReadAccess (boolean) –

                  Specifies whether the ACL grants the general public with read access permissions for the bucket.

                • allowsPublicWriteAccess (boolean) –

                  Specifies whether the ACL grants the general public with write access permissions for the bucket.

              • blockPublicAccess (dict) –

                The block public access settings for the bucket.

                • blockPublicAcls (boolean) –

                  Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.

                • blockPublicPolicy (boolean) –

                  Specifies whether Amazon S3 blocks public bucket policies for the bucket.

                • ignorePublicAcls (boolean) –

                  Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.

                • restrictPublicBuckets (boolean) –

                  Specifies whether Amazon S3 restricts public bucket policies for the bucket.

              • bucketPolicy (dict) –

                The permissions settings of the bucket policy for the bucket. This value is null if a bucket policy hasn’t been defined for the bucket.

                • allowsPublicReadAccess (boolean) –

                  Specifies whether the bucket policy allows the general public to have read access to the bucket.

                • allowsPublicWriteAccess (boolean) –

                  Specifies whether the bucket policy allows the general public to have write access to the bucket.

        • region (string) –

          The Amazon Web Services Region that hosts the bucket.

        • replicationDetails (dict) –

          Specifies whether the bucket is configured to replicate one or more objects to buckets for other Amazon Web Services accounts and, if so, which accounts.

          • replicated (boolean) –

            Specifies whether the bucket is configured to replicate one or more objects to any destination.

          • replicatedExternally (boolean) –

            Specifies whether the bucket is configured to replicate one or more objects to a bucket for an Amazon Web Services account that isn’t part of your Amazon Macie organization. An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.

          • replicationAccounts (list) –

            An array of Amazon Web Services account IDs, one for each Amazon Web Services account that owns a bucket that the bucket is configured to replicate one or more objects to.

            • (string) –

        • sensitivityScore (integer) –

          The sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive).

          If automated sensitive data discovery has never been enabled for your account or it’s been disabled for your organization or standalone account for more than 30 days, possible values are: 1, the bucket is empty; or, 50, the bucket stores objects but it’s been excluded from recent analyses.

        • serverSideEncryption (dict) –

          The default server-side encryption settings for the bucket.

          • kmsMasterKeyId (string) –

            The Amazon Resource Name (ARN) or unique identifier (key ID) for the KMS key that’s used by default to encrypt objects that are added to the bucket. This value is null if the bucket is configured to use an Amazon S3 managed key to encrypt new objects.

          • type (string) –

            The server-side encryption algorithm that’s used by default to encrypt objects that are added to the bucket. Possible values are:

            • AES256 - New objects use SSE-S3 encryption. They’re encrypted with an Amazon S3 managed key.

            • aws:kms - New objects use SSE-KMS encryption. They’re encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key.

            • aws:kms:dsse - New objects use DSSE-KMS encryption. They’re encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key.

            • NONE - The bucket’s default encryption settings don’t specify server-side encryption behavior for new objects.

        • sharedAccess (string) –

          Specifies whether the bucket is shared with another Amazon Web Services account, an Amazon CloudFront origin access identity (OAI), or a CloudFront origin access control (OAC). Possible values are:

          • EXTERNAL - The bucket is shared with one or more of the following or any combination of the following: a CloudFront OAI, a CloudFront OAC, or an Amazon Web Services account that isn’t part of your Amazon Macie organization.

          • INTERNAL - The bucket is shared with one or more Amazon Web Services accounts that are part of your Amazon Macie organization. It isn’t shared with a CloudFront OAI or OAC.

          • NOT_SHARED - The bucket isn’t shared with another Amazon Web Services account, a CloudFront OAI, or a CloudFront OAC.

          • UNKNOWN - Amazon Macie wasn’t able to evaluate the shared access settings for the bucket.

          An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.

        • sizeInBytes (integer) –

          The total storage size, in bytes, of the bucket.

          If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn’t reflect the storage size of all versions of each object in the bucket.

        • sizeInBytesCompressed (integer) –

          The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.

          If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn’t reflect the storage size of all versions of each applicable object in the bucket.

        • tags (list) –

          An array that specifies the tags (keys and values) that are associated with the bucket.

          • (dict) –

            Provides information about the tags that are associated with an S3 bucket or object. Each tag consists of a required tag key and an associated tag value.

            • key (string) –

              One part of a key-value pair that comprises a tag. A tag key is a general label that acts as a category for more specific tag values.

            • value (string) –

              One part of a key-value pair that comprises a tag. A tag value acts as a descriptor for a tag key. A tag value can be an empty string.

        • unclassifiableObjectCount (dict) –

          The total number of objects that Amazon Macie can’t analyze in the bucket. These objects don’t use a supported storage class or don’t have a file name extension for a supported file or storage format.

          • fileType (integer) –

            The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects don’t have a file name extension for a supported file or storage format.

          • storageClass (integer) –

            The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects use an unsupported storage class.

          • total (integer) –

            The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects use an unsupported storage class or don’t have a file name extension for a supported file or storage format.

        • unclassifiableObjectSizeInBytes (dict) –

          The total storage size, in bytes, of the objects that Amazon Macie can’t analyze in the bucket. These objects don’t use a supported storage class or don’t have a file name extension for a supported file or storage format.

          • fileType (integer) –

            The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects don’t have a file name extension for a supported file or storage format.

          • storageClass (integer) –

            The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects use an unsupported storage class.

          • total (integer) –

            The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects use an unsupported storage class or don’t have a file name extension for a supported file or storage format.

        • versioning (boolean) –

          Specifies whether versioning is enabled for the bucket.

    • nextToken (string) –

      The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

Exceptions

  • Macie2.Client.exceptions.ValidationException

  • Macie2.Client.exceptions.InternalServerException

  • Macie2.Client.exceptions.ServiceQuotaExceededException

  • Macie2.Client.exceptions.AccessDeniedException

  • Macie2.Client.exceptions.ResourceNotFoundException

  • Macie2.Client.exceptions.ThrottlingException

  • Macie2.Client.exceptions.ConflictException