URI HTTP methods Schemas Properties See also

Data Sources - Amazon S3

The Amazon S3 Data Sources resource provides statistical data and other information about the Amazon Simple Storage Service (Amazon S3) buckets that Amazon Macie monitors and analyzes for your account. This includes a breakdown of each bucket's public access and encryption settings. It also includes details about the size and number of objects that Macie can analyze to detect sensitive data in a bucket, and whether and when that analysis occurred. The data is available for all the S3 buckets that Macie monitors and analyzes for your account. If you're the Macie administrator for an organization, this includes S3 buckets that your member accounts own.

Note that the data is available only for S3 general purpose buckets. Macie doesn't monitor or analyze S3 directory buckets. In addition, complete data is available for a bucket only if Macie can retrieve and process metadata from Amazon S3 for the bucket and the bucket's objects. Permissions settings, errors, or quotas might prevent Macie from retrieving and processing this information. If this happens, Macie can provide only a subset of information about a bucket, such as the bucket's name and the account ID for the AWS account that owns the bucket.

You can use the Amazon S3 Data Sources resource to retrieve (query) statistical data and other information about one or more S3 general purpose buckets that Macie monitors and analyzes for your account. To customize and refine your query, you can use the supported parameters to specify how to filter, sort, and paginate the query results. For more information about filter options, see Filtering your S3 bucket inventory in the Amazon Macie User Guide.

URI

/datasources/s3

HTTP methods

POST

Operation ID: DescribeBuckets

Retrieves (queries) statistical data and other information about one or more S3 buckets that Amazon Macie monitors and analyzes for an account.

Responses
Status code	Response model	Description
`200`	`DescribeBucketsResponse`	The request succeeded.
`400`	`ValidationException`	The request failed because the input doesn't satisfy the constraints specified by the service.
`402`	`ServiceQuotaExceededException`	The request failed because fulfilling the request would exceed one or more service quotas for your account.
`403`	`AccessDeniedException`	The request was denied because you don't have sufficient access to the specified resource.
`404`	`ResourceNotFoundException`	The request failed because the specified resource wasn't found.
`409`	`ConflictException`	The request failed because it conflicts with the current state of the specified resource.
`429`	`ThrottlingException`	The request failed because you sent too many requests during a certain amount of time.
`500`	`InternalServerException`	The request failed due to an unknown internal server error, exception, or failure.

Schemas

Request bodies


{
  "criteria criteria": {
  },
  "maxResults maxResults": integer,
  "nextToken nextToken": "string",
  "sortCriteria sortCriteria": {
    "attributeName attributeName": "string",
    "orderBy orderBy": enum
  }
}

Response bodies


{
  "buckets buckets": [
    {
      "accountId accountId": "string",
      "allowsUnencryptedObjectUploads allowsUnencryptedObjectUploads": enum,
      "automatedDiscoveryMonitoringStatus automatedDiscoveryMonitoringStatus": enum,
      "bucketArn bucketArn": "string",
      "bucketCreatedAt bucketCreatedAt": "string",
      "bucketName bucketName": "string",
      "classifiableObjectCount classifiableObjectCount": integer,
      "classifiableSizeInBytes classifiableSizeInBytes": integer,
      "errorCode errorCode": enum,
      "errorMessage errorMessage": "string",
      "jobDetails jobDetails": {
        "isDefinedInJob isDefinedInJob": enum,
        "isMonitoredByJob isMonitoredByJob": enum,
        "lastJobId lastJobId": "string",
        "lastJobRunTime lastJobRunTime": "string"
      },
      "lastAutomatedDiscoveryTime lastAutomatedDiscoveryTime": "string",
      "lastUpdated lastUpdated": "string",
      "objectCount objectCount": integer,
      "objectCountByEncryptionType objectCountByEncryptionType": {
        "customerManaged customerManaged": integer,
        "kmsManaged kmsManaged": integer,
        "s3Managed s3Managed": integer,
        "unencrypted unencrypted": integer,
        "unknown unknown": integer
      },
      "publicAccess publicAccess": {
        "effectivePermission effectivePermission": enum,
        "permissionConfiguration permissionConfiguration": {
          "accountLevelPermissions accountLevelPermissions": {
            "blockPublicAccess blockPublicAccess": {
              "blockPublicAcls blockPublicAcls": boolean,
              "blockPublicPolicy blockPublicPolicy": boolean,
              "ignorePublicAcls ignorePublicAcls": boolean,
              "restrictPublicBuckets restrictPublicBuckets": boolean
            }
          },
          "bucketLevelPermissions bucketLevelPermissions": {
            "accessControlList accessControlList": {
              "allowsPublicReadAccess allowsPublicReadAccess": boolean,
              "allowsPublicWriteAccess allowsPublicWriteAccess": boolean
            },
            "blockPublicAccess blockPublicAccess": {
              "blockPublicAcls blockPublicAcls": boolean,
              "blockPublicPolicy blockPublicPolicy": boolean,
              "ignorePublicAcls ignorePublicAcls": boolean,
              "restrictPublicBuckets restrictPublicBuckets": boolean
            },
            "bucketPolicy bucketPolicy": {
              "allowsPublicReadAccess allowsPublicReadAccess": boolean,
              "allowsPublicWriteAccess allowsPublicWriteAccess": boolean
            }
          }
        }
      },
      "region region": "string",
      "replicationDetails replicationDetails": {
        "replicated replicated": boolean,
        "replicatedExternally replicatedExternally": boolean,
        "replicationAccounts replicationAccounts": [
          "string"
        ]
      },
      "sensitivityScore sensitivityScore": integer,
      "serverSideEncryption serverSideEncryption": {
        "kmsMasterKeyId kmsMasterKeyId": "string",
        "type type": enum
      },
      "sharedAccess sharedAccess": enum,
      "sizeInBytes sizeInBytes": integer,
      "sizeInBytesCompressed sizeInBytesCompressed": integer,
      "tags tags": [
        {
          "key key": "string",
          "value value": "string"
        }
      ],
      "unclassifiableObjectCount unclassifiableObjectCount": {
        "fileType fileType": integer,
        "storageClass storageClass": integer,
        "total total": integer
      },
      "unclassifiableObjectSizeInBytes unclassifiableObjectSizeInBytes": {
        "fileType fileType": integer,
        "storageClass storageClass": integer,
        "total total": integer
      },
      "versioning versioning": boolean
    }
  ],
  "nextToken nextToken": "string"
}


{
  "message message": "string"
}


{
  "message message": "string"
}


{
  "message message": "string"
}


{
  "message message": "string"
}


{
  "message message": "string"
}


{
  "message message": "string"
}


{
  "message message": "string"
}

Properties

AccessControlList

Provides information about the permissions settings of the bucket-level access control list (ACL) for an S3 bucket.

Property	Type	Required	Description
`allowsPublicReadAccess`	boolean	False	Specifies whether the ACL grants the general public with read access permissions for the bucket.
`allowsPublicWriteAccess`	boolean	False	Specifies whether the ACL grants the general public with write access permissions for the bucket.

allowsPublicReadAccess

Specifies whether the ACL grants the general public with read access permissions for the bucket.

Type: boolean
Required: False

allowsPublicWriteAccess

Specifies whether the ACL grants the general public with write access permissions for the bucket.

Type: boolean
Required: False

AccessDeniedException

Provides information about an error that occurred due to insufficient access to a specified resource.

Property	Type	Required	Description
`message`	string	False	The explanation of the error that occurred.

message

The explanation of the error that occurred.

Type: string
Required: False

AccountLevelPermissions

Provides information about the account-level permissions settings that apply to an S3 bucket.

Property	Type	Required	Description
`blockPublicAccess`	BlockPublicAccess	False	The block public access settings for the AWS account that owns the bucket.

blockPublicAccess

The block public access settings for the AWS account that owns the bucket.

Type: BlockPublicAccess
Required: False

AutomatedDiscoveryMonitoringStatus

Specifies whether automated sensitive data discovery is currently configured to analyze objects in an S3 bucket. Possible values are:

MONITORED
NOT_MONITORED

BlockPublicAccess

Provides information about the block public access settings for an S3 bucket. These settings can apply to a bucket at the account or bucket level. For detailed information about each setting, see Blocking public access to your Amazon S3 storage in the Amazon Simple Storage Service User Guide.

Property	Type	Required	Description
`blockPublicAcls`	boolean	False	Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.
`blockPublicPolicy`	boolean	False	Specifies whether Amazon S3 blocks public bucket policies for the bucket.
`ignorePublicAcls`	boolean	False	Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.
`restrictPublicBuckets`	boolean	False	Specifies whether Amazon S3 restricts public bucket policies for the bucket.

blockPublicAcls

Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.

Type: boolean
Required: False

blockPublicPolicy

Specifies whether Amazon S3 blocks public bucket policies for the bucket.

Type: boolean
Required: False

ignorePublicAcls

Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.

Type: boolean
Required: False

restrictPublicBuckets

Specifies whether Amazon S3 restricts public bucket policies for the bucket.

Type: boolean
Required: False

BucketCriteria

Specifies, as a map, one or more property-based conditions that filter the results of a query for information about S3 buckets.

Property	Type	Required	Description
`*`	object	False

key-value pairs

Type: object

BucketCriteriaAdditionalProperties

Specifies the operator to use in a property-based condition that filters the results of a query for information about S3 buckets.

Property	Type	Required	Description
`eq`	Array of type string	False	The value for the property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
`gt`	integer Format: int64	False	The value for the property is greater than the specified value.
`gte`	integer Format: int64	False	The value for the property is greater than or equal to the specified value.
`lt`	integer Format: int64	False	The value for the property is less than the specified value.
`lte`	integer Format: int64	False	The value for the property is less than or equal to the specified value.
`neq`	Array of type string	False	The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
`prefix`	string	False	The name of the bucket begins with the specified value.

eq

The value for the property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.

Type: Array of type string
Required: False

gt

The value for the property is greater than the specified value.

Type: integer
Required: False
Format: int64

gte

The value for the property is greater than or equal to the specified value.

Type: integer
Required: False
Format: int64

lt

The value for the property is less than the specified value.

Type: integer
Required: False
Format: int64

lte

The value for the property is less than or equal to the specified value.

Type: integer
Required: False
Format: int64

neq

The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.

Type: Array of type string
Required: False

prefix

The name of the bucket begins with the specified value.

Type: string
Required: False

BucketLevelPermissions

Provides information about the bucket-level permissions settings for an S3 bucket.

Property	Type	Required	Description
`accessControlList`	AccessControlList	False	The permissions settings of the access control list (ACL) for the bucket. This value is null if an ACL hasn't been defined for the bucket.
`blockPublicAccess`	BlockPublicAccess	False	The block public access settings for the bucket.
`bucketPolicy`	BucketPolicy	False	The permissions settings of the bucket policy for the bucket. This value is null if a bucket policy hasn't been defined for the bucket.

accessControlList

The permissions settings of the access control list (ACL) for the bucket. This value is null if an ACL hasn't been defined for the bucket.

Type: AccessControlList
Required: False

blockPublicAccess

The block public access settings for the bucket.

Type: BlockPublicAccess
Required: False

bucketPolicy

The permissions settings of the bucket policy for the bucket. This value is null if a bucket policy hasn't been defined for the bucket.

Type: BucketPolicy
Required: False

BucketMetadata

Provides statistical data and other information about an S3 bucket that Amazon Macie monitors and analyzes for your account. By default, object count and storage size values include data for object parts that are the result of incomplete multipart uploads. For more information, see How Macie monitors Amazon S3 data security in the Amazon Macie User Guide.

If an error or issue prevents Macie from retrieving and processing metadata from Amazon S3 for the bucket or the bucket's objects, the value for the versioning property is false and the value for most other properties is null or UNKNOWN. Key exceptions are accountId, bucketArn, bucketCreatedAt, bucketName, lastUpdated, and region. To identify the cause, refer to the errorCode and errorMessage values.

Property	Type	Required	Description
`accountId`	string	False	The unique identifier for the AWS account that owns the bucket.
`allowsUnencryptedObjectUploads`	string Values: `TRUE \| FALSE \| UNKNOWN`	False	Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are added to the bucket. Possible values are: `FALSE` - The bucket policy requires server-side encryption of new objects. `PutObject` requests must include a valid server-side encryption header. `TRUE` - The bucket doesn't have a bucket policy or it has a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, it doesn't require `PutObject` requests to include a valid server-side encryption header. `UNKNOWN` - Amazon Macie can't determine whether the bucket policy requires server-side encryption of new objects. Valid server-side encryption headers are: `x-amz-server-side-encryption` with a value of `AES256` or `aws:kms`, and `x-amz-server-side-encryption-customer-algorithm` with a value of `AES256`.
`automatedDiscoveryMonitoringStatus`	AutomatedDiscoveryMonitoringStatus	False	Specifies whether automated sensitive data discovery is currently configured to analyze objects in the bucket. Possible values are: `MONITORED`, the bucket is included in analyses; and, `NOT_MONITORED`, the bucket is excluded from analyses. If automated sensitive data discovery is disabled for your account, this value is `NOT_MONITORED`.
`bucketArn`	string	False	The Amazon Resource Name (ARN) of the bucket.
`bucketCreatedAt`	string Format: date-time	False	The date and time, in UTC and extended ISO 8601 format, when the bucket was created. This value can also indicate when changes such as edits to the bucket's policy were most recently made to the bucket.
`bucketName`	string	False	The name of the bucket.
`classifiableObjectCount`	integer Format: int64	False	The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
`classifiableSizeInBytes`	integer Format: int64	False	The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format. If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
`errorCode`	BucketMetadataErrorCode	False	The code for an error or issue that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. Possible values are: `ACCESS_DENIED` - Macie doesn't have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request. `BUCKET_COUNT_EXCEEDS_QUOTA` - Retrieving and processing the information would exceed the quota for the number of buckets that Macie monitors for an account (10,000). If this value is null, Macie was able to retrieve and process the information.
`errorMessage`	string	False	A brief description of the error or issue (`errorCode`) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. This value is null if Macie was able to retrieve and process the information.
`jobDetails`	JobDetails	False	Specifies whether any one-time or recurring classification jobs are configured to analyze objects in the bucket, and, if so, the details of the job that ran most recently.
`lastAutomatedDiscoveryTime`	string Format: date-time	False	The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed objects in the bucket while performing automated sensitive data discovery. This value is null if this analysis hasn't occurred.
`lastUpdated`	string Format: date-time	False	The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved bucket or object metadata from Amazon S3 for the bucket.
`objectCount`	integer Format: int64	False	The total number of objects in the bucket.
`objectCountByEncryptionType`	ObjectCountByEncryptionType	False	The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren't encrypted or use client-side encryption.
`publicAccess`	BucketPublicAccess	False	Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket, and provides information about those settings.
`region`	string	False	The AWS Region that hosts the bucket.
`replicationDetails`	ReplicationDetails	False	Specifies whether the bucket is configured to replicate one or more objects to buckets for other AWS accounts and, if so, which accounts.
`sensitivityScore`	integer Format: int32	False	The sensitivity score for the bucket, ranging from `-1` (classification error) to `100` (sensitive). If automated sensitive data discovery has never been enabled for your account or it's been disabled for your organization or standalone account for more than 30 days, possible values are: `1`, the bucket is empty; or, `50`, the bucket stores objects but it's been excluded from recent analyses.
`serverSideEncryption`	BucketServerSideEncryption	False	The default server-side encryption settings for the bucket.
`sharedAccess`	string Values: `EXTERNAL \| INTERNAL \| NOT_SHARED \| UNKNOWN`	False	Specifies whether the bucket is shared with another AWS account, an Amazon CloudFront origin access identity (OAI), or a CloudFront origin access control (OAC). Possible values are: `EXTERNAL` - The bucket is shared with one or more of the following or any combination of the following: a CloudFront OAI, a CloudFront OAC, or an AWS account that isn't part of your Amazon Macie organization. `INTERNAL` - The bucket is shared with one or more AWS accounts that are part of your Amazon Macie organization. It isn't shared with a CloudFront OAI or OAC. `NOT_SHARED` - The bucket isn't shared with another AWS account, a CloudFront OAI, or a CloudFront OAC. `UNKNOWN` - Amazon Macie wasn't able to evaluate the shared access settings for the bucket. An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through AWS Organizations or by Macie invitation.
`sizeInBytes`	integer Format: int64	False	The total storage size, in bytes, of the bucket. If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.
`sizeInBytesCompressed`	integer Format: int64	False	The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket. If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
`tags`	Array of type KeyValuePair	False	An array that specifies the tags (keys and values) that are associated with the bucket.
`unclassifiableObjectCount`	ObjectLevelStatistics	False	The total number of objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
`unclassifiableObjectSizeInBytes`	ObjectLevelStatistics	False	The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
`versioning`	boolean	False	Specifies whether versioning is enabled for the bucket.

accountId

The unique identifier for the AWS account that owns the bucket.

Type: string
Required: False

allowsUnencryptedObjectUploads

Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are added to the bucket. Possible values are:

FALSE - The bucket policy requires server-side encryption of new objects. PutObject requests must include a valid server-side encryption header.
TRUE - The bucket doesn't have a bucket policy or it has a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, it doesn't require PutObject requests to include a valid server-side encryption header.
UNKNOWN - Amazon Macie can't determine whether the bucket policy requires server-side encryption of new objects.

Valid server-side encryption headers are: x-amz-server-side-encryption with a value of AES256 or aws:kms, and x-amz-server-side-encryption-customer-algorithm with a value of AES256.

Type: string
Required: False
Values: TRUE | FALSE | UNKNOWN

automatedDiscoveryMonitoringStatus

Specifies whether automated sensitive data discovery is currently configured to analyze objects in the bucket. Possible values are: MONITORED, the bucket is included in analyses; and, NOT_MONITORED, the bucket is excluded from analyses. If automated sensitive data discovery is disabled for your account, this value is NOT_MONITORED.

Type: AutomatedDiscoveryMonitoringStatus
Required: False

bucketArn

The Amazon Resource Name (ARN) of the bucket.

Type: string
Required: False

bucketCreatedAt

The date and time, in UTC and extended ISO 8601 format, when the bucket was created. This value can also indicate when changes such as edits to the bucket's policy were most recently made to the bucket.

Type: string
Required: False
Format: date-time

bucketName

The name of the bucket.

Type: string
Required: False

classifiableObjectCount

The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.

Type: integer
Required: False
Format: int64

classifiableSizeInBytes

The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.

If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.

Type: integer
Required: False
Format: int64

errorCode

The code for an error or issue that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. Possible values are:

ACCESS_DENIED - Macie doesn't have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request.
BUCKET_COUNT_EXCEEDS_QUOTA - Retrieving and processing the information would exceed the quota for the number of buckets that Macie monitors for an account (10,000).

If this value is null, Macie was able to retrieve and process the information.

Type: BucketMetadataErrorCode
Required: False

errorMessage

A brief description of the error or issue (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. This value is null if Macie was able to retrieve and process the information.

Type: string
Required: False

jobDetails

Specifies whether any one-time or recurring classification jobs are configured to analyze objects in the bucket, and, if so, the details of the job that ran most recently.

Type: JobDetails
Required: False

lastAutomatedDiscoveryTime

The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed objects in the bucket while performing automated sensitive data discovery. This value is null if this analysis hasn't occurred.

Type: string
Required: False
Format: date-time

lastUpdated

The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved bucket or object metadata from Amazon S3 for the bucket.

Type: string
Required: False
Format: date-time

objectCount

The total number of objects in the bucket.

Type: integer
Required: False
Format: int64

objectCountByEncryptionType

The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren't encrypted or use client-side encryption.

Type: ObjectCountByEncryptionType
Required: False

publicAccess

Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket, and provides information about those settings.

Type: BucketPublicAccess
Required: False

region

The AWS Region that hosts the bucket.

Type: string
Required: False

replicationDetails

Specifies whether the bucket is configured to replicate one or more objects to buckets for other AWS accounts and, if so, which accounts.

Type: ReplicationDetails
Required: False

sensitivityScore

The sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive).

If automated sensitive data discovery has never been enabled for your account or it's been disabled for your organization or standalone account for more than 30 days, possible values are: 1, the bucket is empty; or, 50, the bucket stores objects but it's been excluded from recent analyses.

Type: integer
Required: False
Format: int32

serverSideEncryption

The default server-side encryption settings for the bucket.

Type: BucketServerSideEncryption
Required: False

sharedAccess

Specifies whether the bucket is shared with another AWS account, an Amazon CloudFront origin access identity (OAI), or a CloudFront origin access control (OAC). Possible values are:

EXTERNAL - The bucket is shared with one or more of the following or any combination of the following: a CloudFront OAI, a CloudFront OAC, or an AWS account that isn't part of your Amazon Macie organization.
INTERNAL - The bucket is shared with one or more AWS accounts that are part of your Amazon Macie organization. It isn't shared with a CloudFront OAI or OAC.
NOT_SHARED - The bucket isn't shared with another AWS account, a CloudFront OAI, or a CloudFront OAC.
UNKNOWN - Amazon Macie wasn't able to evaluate the shared access settings for the bucket.

An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through AWS Organizations or by Macie invitation.

Type: string
Required: False
Values: EXTERNAL | INTERNAL | NOT_SHARED | UNKNOWN

sizeInBytes

The total storage size, in bytes, of the bucket.

If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.

Type: integer
Required: False
Format: int64

sizeInBytesCompressed

The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.

If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.

Type: integer
Required: False
Format: int64

unclassifiableObjectCount

The total number of objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

Type: ObjectLevelStatistics
Required: False

unclassifiableObjectSizeInBytes

The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

Type: ObjectLevelStatistics
Required: False

versioning

Specifies whether versioning is enabled for the bucket.

Type: boolean
Required: False

BucketMetadataErrorCode

The code for an error or issue that prevented Amazon Macie from retrieving and processing information about an S3 bucket and the bucket's objects.

ACCESS_DENIED
BUCKET_COUNT_EXCEEDS_QUOTA

BucketPermissionConfiguration

Provides information about the account-level and bucket-level permissions settings for an S3 bucket.

Property	Type	Required	Description
`accountLevelPermissions`	AccountLevelPermissions	False	The account-level permissions settings that apply to the bucket.
`bucketLevelPermissions`	BucketLevelPermissions	False	The bucket-level permissions settings for the bucket.

accountLevelPermissions

The account-level permissions settings that apply to the bucket.

Type: AccountLevelPermissions
Required: False

bucketLevelPermissions

The bucket-level permissions settings for the bucket.

Type: BucketLevelPermissions
Required: False

BucketPolicy

Provides information about the permissions settings of the bucket policy for an S3 bucket.

Property	Type	Required	Description
`allowsPublicReadAccess`	boolean	False	Specifies whether the bucket policy allows the general public to have read access to the bucket.
`allowsPublicWriteAccess`	boolean	False	Specifies whether the bucket policy allows the general public to have write access to the bucket.

allowsPublicReadAccess

Specifies whether the bucket policy allows the general public to have read access to the bucket.

Type: boolean
Required: False

allowsPublicWriteAccess

Specifies whether the bucket policy allows the general public to have write access to the bucket.

Type: boolean
Required: False

BucketPublicAccess

Provides information about the permissions settings that determine whether an S3 bucket is publicly accessible.

Property Type Required Description

Property	Type	Required	Description
`effectivePermission`	string Values: `PUBLIC \| NOT_PUBLIC \| UNKNOWN`	False	Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket. Possible values are: `NOT_PUBLIC` - The bucket isn't publicly accessible. `PUBLIC` - The bucket is publicly accessible. `UNKNOWN` - Amazon Macie can't determine whether the bucket is publicly accessible.
`permissionConfiguration`	BucketPermissionConfiguration	False	The account-level and bucket-level permissions settings for the bucket.

effectivePermission

string

Values: PUBLIC | NOT_PUBLIC | UNKNOWN

False

Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket. Possible values are:

NOT_PUBLIC - The bucket isn't publicly accessible.
PUBLIC - The bucket is publicly accessible.
UNKNOWN - Amazon Macie can't determine whether the bucket is publicly accessible.

permissionConfiguration

BucketPermissionConfiguration

False

The account-level and bucket-level permissions settings for the bucket.

effectivePermission

Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket. Possible values are:

NOT_PUBLIC - The bucket isn't publicly accessible.
PUBLIC - The bucket is publicly accessible.
UNKNOWN - Amazon Macie can't determine whether the bucket is publicly accessible.

Type: string
Required: False
Values: PUBLIC | NOT_PUBLIC | UNKNOWN

permissionConfiguration

The account-level and bucket-level permissions settings for the bucket.

Type: BucketPermissionConfiguration
Required: False

BucketServerSideEncryption

Provides information about the default server-side encryption settings for an S3 bucket. For detailed information about these settings, see Setting default server-side encryption behavior for Amazon S3 buckets in the Amazon Simple Storage Service User Guide.

Property Type Required Description

Property	Type	Required	Description
`kmsMasterKeyId`	string	False	The Amazon Resource Name (ARN) or unique identifier (key ID) for the AWS KMS key that's used by default to encrypt objects that are added to the bucket. This value is null if the bucket is configured to use an Amazon S3 managed key to encrypt new objects.
`type`	string Values: `NONE \| AES256 \| aws:kms \| aws:kms:dsse`	False	The server-side encryption algorithm that's used by default to encrypt objects that are added to the bucket. Possible values are: `AES256` - New objects use SSE-S3 encryption. They're encrypted with an Amazon S3 managed key. `aws:kms` - New objects use SSE-KMS encryption. They're encrypted with an AWS KMS key (`kmsMasterKeyId`), either an AWS managed key or a customer managed key. `aws:kms:dsse` - New objects use DSSE-KMS encryption. They're encrypted with an AWS KMS key (`kmsMasterKeyId`), either an AWS managed key or a customer managed key. `NONE` - The bucket's default encryption settings don't specify server-side encryption behavior for new objects.

kmsMasterKeyId

string

False

The Amazon Resource Name (ARN) or unique identifier (key ID) for the AWS KMS key that's used by default to encrypt objects that are added to the bucket. This value is null if the bucket is configured to use an Amazon S3 managed key to encrypt new objects.

type

string

Values: NONE | AES256 | aws:kms | aws:kms:dsse

False

The server-side encryption algorithm that's used by default to encrypt objects that are added to the bucket. Possible values are:

AES256 - New objects use SSE-S3 encryption. They're encrypted with an Amazon S3 managed key.
aws:kms - New objects use SSE-KMS encryption. They're encrypted with an AWS KMS key (kmsMasterKeyId), either an AWS managed key or a customer managed key.
aws:kms:dsse - New objects use DSSE-KMS encryption. They're encrypted with an AWS KMS key (kmsMasterKeyId), either an AWS managed key or a customer managed key.
NONE - The bucket's default encryption settings don't specify server-side encryption behavior for new objects.

kmsMasterKeyId

Type: string
Required: False

type

The server-side encryption algorithm that's used by default to encrypt objects that are added to the bucket. Possible values are:

AES256 - New objects use SSE-S3 encryption. They're encrypted with an Amazon S3 managed key.
aws:kms - New objects use SSE-KMS encryption. They're encrypted with an AWS KMS key (kmsMasterKeyId), either an AWS managed key or a customer managed key.
aws:kms:dsse - New objects use DSSE-KMS encryption. They're encrypted with an AWS KMS key (kmsMasterKeyId), either an AWS managed key or a customer managed key.
NONE - The bucket's default encryption settings don't specify server-side encryption behavior for new objects.

Type: string
Required: False
Values: NONE | AES256 | aws:kms | aws:kms:dsse

BucketSortCriteria

Specifies criteria for sorting the results of a query for information about S3 buckets.

Property Type Required Description

Property	Type	Required	Description
`attributeName`	string	False	The name of the bucket property to sort the results by. This value can be one of the following properties that Amazon Macie defines as bucket metadata: `accountId`, `bucketName`, `classifiableObjectCount`, `classifiableSizeInBytes`, `objectCount`, `sensitivityScore`, or `sizeInBytes`.
`orderBy`	string Values: `ASC \| DESC`	False	The sort order to apply to the results, based on the value specified by the `attributeName` property. Valid values are: `ASC`, sort the results in ascending order; and, `DESC`, sort the results in descending order.

attributeName

string

False

The name of the bucket property to sort the results by. This value can be one of the following properties that Amazon Macie defines as bucket metadata: accountId, bucketName, classifiableObjectCount, classifiableSizeInBytes, objectCount, sensitivityScore, or sizeInBytes.

orderBy

string

Values: ASC | DESC

False

The sort order to apply to the results, based on the value specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.

attributeName

Type: string
Required: False

orderBy

Type: string
Required: False
Values: ASC | DESC

ConflictException

Provides information about an error that occurred due to a versioning conflict for a specified resource.

Property	Type	Required	Description
`message`	string	False	The explanation of the error that occurred.

message

The explanation of the error that occurred.

Type: string
Required: False

DescribeBucketsRequest

Specifies criteria for filtering, sorting, and paginating the results of a query for statistical data and other information about S3 buckets.

Property	Type	Required	Description
`criteria`	BucketCriteria	False	The criteria to use to filter the query results.
`maxResults`	integer Format: int32	False	The maximum number of items to include in each page of the response. The default value is 50.
`nextToken`	string	False	The `nextToken` string that specifies which page of results to return in a paginated response.
`sortCriteria`	BucketSortCriteria	False	The criteria to use to sort the query results.

criteria

The criteria to use to filter the query results.

Type: BucketCriteria
Required: False

maxResults

The maximum number of items to include in each page of the response. The default value is 50.

Type: integer
Required: False
Format: int32

nextToken

The nextToken string that specifies which page of results to return in a paginated response.

Type: string
Required: False

sortCriteria

The criteria to use to sort the query results.

Type: BucketSortCriteria
Required: False

DescribeBucketsResponse

Provides the results of a query that retrieved statistical data and other information about one or more S3 buckets that Amazon Macie monitors and analyzes for your account.

Property	Type	Required	Description
`buckets`	Array of type BucketMetadata	False	An array of objects, one for each bucket that matches the filter criteria specified in the request.
`nextToken`	string	False	The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

buckets

An array of objects, one for each bucket that matches the filter criteria specified in the request.

Type: Array of type BucketMetadata
Required: False

nextToken

The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

Type: string
Required: False

InternalServerException

Provides information about an error that occurred due to an unknown internal server error, exception, or failure.

Property	Type	Required	Description
`message`	string	False	The explanation of the error that occurred.

message

The explanation of the error that occurred.

Type: string
Required: False

JobDetails

Specifies whether any one-time or recurring classification jobs are configured to analyze objects in an S3 bucket, and, if so, the details of the job that ran most recently.

Property	Type	Required	Description
`isDefinedInJob`	string Values: `TRUE \| FALSE \| UNKNOWN`	False	Specifies whether any one-time or recurring jobs are configured to analyze objects in the bucket. Possible values are: `TRUE` - The bucket is explicitly included in the bucket definition (`S3BucketDefinitionForJob`) for one or more jobs and at least one of those jobs has a status other than `CANCELLED`. Or the bucket matched the bucket criteria (`S3BucketCriteriaForJob`) for at least one job that previously ran. `FALSE` - The bucket isn't explicitly included in the bucket definition (`S3BucketDefinitionForJob`) for any jobs, all the jobs that explicitly include the bucket in their bucket definitions have a status of `CANCELLED`, or the bucket didn't match the bucket criteria (`S3BucketCriteriaForJob`) for any jobs that previously ran. `UNKNOWN` - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.
`isMonitoredByJob`	string Values: `TRUE \| FALSE \| UNKNOWN`	False	Specifies whether any recurring jobs are configured to analyze objects in the bucket. Possible values are: `TRUE` - The bucket is explicitly included in the bucket definition (`S3BucketDefinitionForJob`) for one or more recurring jobs or the bucket matches the bucket criteria (`S3BucketCriteriaForJob`) for one or more recurring jobs. At least one of those jobs has a status other than `CANCELLED`. `FALSE` - The bucket isn't explicitly included in the bucket definition (`S3BucketDefinitionForJob`) for any recurring jobs, the bucket doesn't match the bucket criteria (`S3BucketCriteriaForJob`) for any recurring jobs, or all the recurring jobs that are configured to analyze data in the bucket have a status of `CANCELLED`. `UNKNOWN` - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.
`lastJobId`	string	False	The unique identifier for the job that ran most recently and is configured to analyze objects in the bucket, either the latest run of a recurring job or the only run of a one-time job. This value is typically null if the value for the `isDefinedInJob` property is `FALSE` or `UNKNOWN`.
`lastJobRunTime`	string Format: date-time	False	The date and time, in UTC and extended ISO 8601 format, when the job (`lastJobId`) started. If the job is a recurring job, this value indicates when the most recent run started. This value is typically null if the value for the `isDefinedInJob` property is `FALSE` or `UNKNOWN`.

isDefinedInJob

Specifies whether any one-time or recurring jobs are configured to analyze objects in the bucket. Possible values are:

TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more jobs and at least one of those jobs has a status other than CANCELLED. Or the bucket matched the bucket criteria (S3BucketCriteriaForJob) for at least one job that previously ran.
FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any jobs, all the jobs that explicitly include the bucket in their bucket definitions have a status of CANCELLED, or the bucket didn't match the bucket criteria (S3BucketCriteriaForJob) for any jobs that previously ran.
UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.

Type: string
Required: False
Values: TRUE | FALSE | UNKNOWN

isMonitoredByJob

Specifies whether any recurring jobs are configured to analyze objects in the bucket. Possible values are:

TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more recurring jobs or the bucket matches the bucket criteria (S3BucketCriteriaForJob) for one or more recurring jobs. At least one of those jobs has a status other than CANCELLED.
FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any recurring jobs, the bucket doesn't match the bucket criteria (S3BucketCriteriaForJob) for any recurring jobs, or all the recurring jobs that are configured to analyze data in the bucket have a status of CANCELLED.
UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.

Type: string
Required: False
Values: TRUE | FALSE | UNKNOWN

lastJobId

The unique identifier for the job that ran most recently and is configured to analyze objects in the bucket, either the latest run of a recurring job or the only run of a one-time job.

This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.

Type: string
Required: False

lastJobRunTime

The date and time, in UTC and extended ISO 8601 format, when the job (lastJobId) started. If the job is a recurring job, this value indicates when the most recent run started.

This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.

Type: string
Required: False
Format: date-time

KeyValuePair

Provides information about the tags that are associated with an S3 bucket or object. Each tag consists of a required tag key and an associated tag value.

Property	Type	Required	Description
`key`	string	False	One part of a key-value pair that comprises a tag. A tag key is a general label that acts as a category for more specific tag values.
`value`	string	False	One part of a key-value pair that comprises a tag. A tag value acts as a descriptor for a tag key. A tag value can be an empty string.

key

One part of a key-value pair that comprises a tag. A tag key is a general label that acts as a category for more specific tag values.

Type: string
Required: False

value

One part of a key-value pair that comprises a tag. A tag value acts as a descriptor for a tag key. A tag value can be an empty string.

Type: string
Required: False

ObjectCountByEncryptionType

Provides information about the number of objects that are in an S3 bucket and use certain types of server-side encryption, use client-side encryption, or aren't encrypted.

Property	Type	Required	Description
`customerManaged`	integer Format: int64	False	The total number of objects that are encrypted with customer-provided keys. The objects use server-side encryption with customer-provided keys (SSE-C).
`kmsManaged`	integer Format: int64	False	The total number of objects that are encrypted with AWS KMS keys, either AWS managed keys or customer managed keys. The objects use dual-layer server-side encryption or server-side encryption with AWS KMS keys (DSSE-KMS or SSE-KMS).
`s3Managed`	integer Format: int64	False	The total number of objects that are encrypted with Amazon S3 managed keys. The objects use server-side encryption with Amazon S3 managed keys (SSE-S3).
`unencrypted`	integer Format: int64	False	The total number of objects that use client-side encryption or aren't encrypted.
`unknown`	integer Format: int64	False	The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.

customerManaged

The total number of objects that are encrypted with customer-provided keys. The objects use server-side encryption with customer-provided keys (SSE-C).

Type: integer
Required: False
Format: int64

kmsManaged

The total number of objects that are encrypted with AWS KMS keys, either AWS managed keys or customer managed keys. The objects use dual-layer server-side encryption or server-side encryption with AWS KMS keys (DSSE-KMS or SSE-KMS).

Type: integer
Required: False
Format: int64

s3Managed

The total number of objects that are encrypted with Amazon S3 managed keys. The objects use server-side encryption with Amazon S3 managed keys (SSE-S3).

Type: integer
Required: False
Format: int64

unencrypted

The total number of objects that use client-side encryption or aren't encrypted.

Type: integer
Required: False
Format: int64

unknown

The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.

Type: integer
Required: False
Format: int64

ObjectLevelStatistics

Provides information about the total storage size (in bytes) or number of objects that Amazon Macie can't analyze in one or more S3 buckets. In a BucketMetadata or MatchingBucket object, this data is for a specific bucket. In a GetBucketStatisticsResponse object, this data is aggregated for all the buckets in the query results. If versioning is enabled for a bucket, storage size values are based on the size of the latest version of each applicable object in the bucket.

Property Type Required Description

Property	Type	Required	Description
`fileType`	integer Format: int64	False	The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
`storageClass`	integer Format: int64	False	The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
`total`	integer Format: int64	False	The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.

fileType

integer

Format: int64

False

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.

storageClass

integer

Format: int64

False

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.

total

integer

Format: int64

False

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.

fileType

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.

Type: integer
Required: False
Format: int64

storageClass

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.

Type: integer
Required: False
Format: int64

total

Type: integer
Required: False
Format: int64

ReplicationDetails

Provides information about settings that define whether one or more objects in an S3 bucket are replicated to S3 buckets for other AWS accounts and, if so, which accounts.

Property	Type	Required	Description
`replicated`	boolean	False	Specifies whether the bucket is configured to replicate one or more objects to any destination.
`replicatedExternally`	boolean	False	Specifies whether the bucket is configured to replicate one or more objects to a bucket for an AWS account that isn't part of your Amazon Macie organization. An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through AWS Organizations or by Macie invitation.
`replicationAccounts`	Array of type string	False	An array of AWS account IDs, one for each AWS account that owns a bucket that the bucket is configured to replicate one or more objects to.

replicated

Specifies whether the bucket is configured to replicate one or more objects to any destination.

Type: boolean
Required: False

replicatedExternally

Specifies whether the bucket is configured to replicate one or more objects to a bucket for an AWS account that isn't part of your Amazon Macie organization. An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through AWS Organizations or by Macie invitation.

Type: boolean
Required: False

replicationAccounts

An array of AWS account IDs, one for each AWS account that owns a bucket that the bucket is configured to replicate one or more objects to.

Type: Array of type string
Required: False

ResourceNotFoundException

Provides information about an error that occurred because a specified resource wasn't found.

Property	Type	Required	Description
`message`	string	False	The explanation of the error that occurred.

message

The explanation of the error that occurred.

Type: string
Required: False

ServiceQuotaExceededException

Provides information about an error that occurred due to one or more service quotas for an account.

Property	Type	Required	Description
`message`	string	False	The explanation of the error that occurred.

message

The explanation of the error that occurred.

Type: string
Required: False

ThrottlingException

Provides information about an error that occurred because too many requests were sent during a certain amount of time.

Property	Type	Required	Description
`message`	string	False	The explanation of the error that occurred.

message

The explanation of the error that occurred.

Type: string
Required: False

ValidationException

Provides information about an error that occurred due to a syntax error in a request.

Property	Type	Required	Description
`message`	string	False	The explanation of the error that occurred.

message

The explanation of the error that occurred.

Type: string
Required: False