Macie2 / Client / update_reveal_configuration

update_reveal_configuration#

Macie2.Client.update_reveal_configuration(**kwargs)#

Updates the status and configuration settings for retrieving occurrences of sensitive data reported by findings.

See also: AWS API Documentation

Request Syntax

response = client.update_reveal_configuration(
    configuration={
        'kmsKeyId': 'string',
        'status': 'ENABLED'|'DISABLED'
    },
    retrievalConfiguration={
        'retrievalMode': 'CALLER_CREDENTIALS'|'ASSUME_ROLE',
        'roleName': 'string'
    }
)
Parameters:
  • configuration (dict) –

    [REQUIRED]

    The KMS key to use to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.

    • kmsKeyId (string) –

      The Amazon Resource Name (ARN), ID, or alias of the KMS key to use to encrypt sensitive data that’s retrieved. The key must be an existing, customer managed, symmetric encryption key that’s enabled in the same Amazon Web Services Region as the Amazon Macie account.

      If this value specifies an alias, it must include the following prefix: alias/. If this value specifies a key that’s owned by another Amazon Web Services account, it must specify the ARN of the key or the ARN of the key’s alias.

    • status (string) – [REQUIRED]

      The status of the configuration for the Amazon Macie account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account.

      Warning

      If you disable the configuration, you also permanently delete current settings that specify how to access affected S3 objects. If your current access method is ASSUME_ROLE, Macie also deletes the external ID and role name currently specified for the configuration. These settings can’t be recovered after they’re deleted.

  • retrievalConfiguration (dict) –

    The access method and settings to use when retrieving the sensitive data.

    • retrievalMode (string) – [REQUIRED]

      The access method to use when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie; and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data. If you specify ASSUME_ROLE, also specify the name of an existing IAM role for Macie to assume (roleName).

      Warning

      If you change this value from ASSUME_ROLE to CALLER_CREDENTIALS for an existing configuration, Macie permanently deletes the external ID and role name currently specified for the configuration. These settings can’t be recovered after they’re deleted.

    • roleName (string) –

      The name of the IAM role that is in the affected Amazon Web Services account and Amazon Macie is allowed to assume when retrieving sensitive data from affected S3 objects for the account. The trust and permissions policies for the role must meet all requirements for Macie to assume the role.

Return type:

dict

Returns:

Response Syntax

{
    'configuration': {
        'kmsKeyId': 'string',
        'status': 'ENABLED'|'DISABLED'
    },
    'retrievalConfiguration': {
        'externalId': 'string',
        'retrievalMode': 'CALLER_CREDENTIALS'|'ASSUME_ROLE',
        'roleName': 'string'
    }
}

Response Structure

  • (dict) –

    The request succeeded.

    • configuration (dict) –

      The KMS key to use to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.

      • kmsKeyId (string) –

        The Amazon Resource Name (ARN), ID, or alias of the KMS key to use to encrypt sensitive data that’s retrieved. The key must be an existing, customer managed, symmetric encryption key that’s enabled in the same Amazon Web Services Region as the Amazon Macie account.

        If this value specifies an alias, it must include the following prefix: alias/. If this value specifies a key that’s owned by another Amazon Web Services account, it must specify the ARN of the key or the ARN of the key’s alias.

      • status (string) –

        The status of the configuration for the Amazon Macie account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account.

        Warning

        If you disable the configuration, you also permanently delete current settings that specify how to access affected S3 objects. If your current access method is ASSUME_ROLE, Macie also deletes the external ID and role name currently specified for the configuration. These settings can’t be recovered after they’re deleted.

    • retrievalConfiguration (dict) –

      The access method and settings to use when retrieving the sensitive data.

      • externalId (string) –

        The external ID to specify in the trust policy for the IAM role to assume when retrieving sensitive data from affected S3 objects (roleName). This value is null if the value for retrievalMode is CALLER_CREDENTIALS.

        This ID is a unique alphanumeric string that Amazon Macie generates automatically after you configure it to assume an IAM role. For a Macie administrator to retrieve sensitive data from an affected S3 object for a member account, the trust policy for the role in the member account must include an sts:ExternalId condition that requires this ID.

      • retrievalMode (string) –

        The access method that’s used to retrieve sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie (roleName); and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data.

      • roleName (string) –

        The name of the IAM role that is in the affected Amazon Web Services account and Amazon Macie is allowed to assume when retrieving sensitive data from affected S3 objects for the account. This value is null if the value for retrievalMode is CALLER_CREDENTIALS.

Exceptions

  • Macie2.Client.exceptions.ThrottlingException

  • Macie2.Client.exceptions.ValidationException

  • Macie2.Client.exceptions.InternalServerException

  • Macie2.Client.exceptions.AccessDeniedException