URI HTTP methods Schemas Properties See also

Automated Sensitive Data Discovery - Configuration

The Configuration resource for automated sensitive data discovery provides access to configuration settings for performing automated sensitive data discovery, and the status of the configuration. To manage the configuration settings and status of automated sensitive data discovery, your account must be the Amazon Macie administrator account for an organization or a standalone Macie account.

If you enable automated sensitive data discovery, Macie continually evaluates your inventory of Amazon Simple Storage Service (Amazon S3) general purpose buckets and uses sampling techniques to identify and select representative objects in the buckets. Macie then retrieves and analyzes the selected objects, inspecting them for sensitive data. If you're the Macie administrator for an organization, this can include objects in buckets that your member accounts own.

You can monitor and review analyses' results in resource sensitivity profiles, statistical data, and other information that Macie produces and provides about your Amazon S3 data. These results are in addition to sensitive data findings, which report sensitive data that Macie finds in individual S3 objects, and sensitive data discovery results, which log details about the analysis of individual S3 objects. For more information, see Performing automated sensitive data discovery in the Amazon Macie User Guide.

To customize the analyses, change the configuration settings for your account. The settings include a classification scope and a sensitivity inspection template. The classification scope specifies S3 buckets that you want to exclude from analyses, such as buckets that typically store AWS logging data. The sensitivity inspection template specifies the allow lists, custom data identifiers, and managed data identifiers that you want Macie to use when it analyzes S3 objects. To change these settings, use the Classification Scope and Sensitivity Inspection Template resources.

If you're the Macie administrator for an organization, Macie uses the classification scope and sensitivity inspection template for your account when it analyzes data for other accounts in your organization. To refine the scope of the analyses, you have several options:

Automatically include or exclude accounts - When you enable automated sensitive data discovery, you also specify whether to enable it automatically for all existing accounts and new member accounts, only new member accounts, or no accounts. If it's enabled for an account, Macie includes S3 buckets that the account owns. If it's disabled for an account, Macie excludes buckets that the account owns.
Include or exclude specific accounts - After you enable automated sensitive data discovery, you can enable or disable it for individual accounts on a case-by-case basis. To do this, use the Accounts resource for automated sensitive data discovery. If you enable it for an account, Macie includes S3 buckets that the account owns. If you disable it for an account, Macie excludes buckets that the account owns.
Exclude specific S3 buckets - If you enable automated sensitive data discovery for one or more accounts, you can exclude particular buckets that the accounts own. Macie then skips those buckets when it analyzes data for your organization. To exclude particular buckets, update the classification scope for your administrator account. You can do this by using the Classification Scope resource.

If you disable automated sensitive data discovery for your organization or standalone account, Macie retains your configuration settings. However, Macie stops performing all automated sensitive data discovery activities for your organization or account. In addition, you lose access to all resource sensitivity profiles, statistical data, and other information that Macie produced and directly provided about your Amazon S3 data while performing those activities. This doesn't include sensitive data findings. Macie stores findings for 90 days.

After you disable automated sensitive data discovery for your organization or standalone account, you can enable it again. Macie then resumes all automated sensitive data discovery activities for your organization or account. If you re-enable it within 30 days, you regain access to resource sensitivity profiles, statistical data, and other information that Macie previously produced and directly provided while performing those activities. If you don't re-enable it within 30 days, Macie permanently deletes these profiles and the statistical data and other information that it produced and directly provided.

If you're the Macie administrator for an organization or you have a standalone Macie account, you can use the Configuration resource to retrieve your current configuration settings for automated sensitive data discovery. You can also enable or disable automated sensitive data discovery for your organization or account.

URI

/automated-discovery/configuration

HTTP methods

GET

Operation ID: GetAutomatedDiscoveryConfiguration

Retrieves the configuration settings and status of automated sensitive data discovery for an organization or standalone account.

Responses
Status code	Response model	Description
`200`	`GetAutomatedDiscoveryConfigurationResponse`	The request succeeded.
`400`	`ValidationException`	The request failed because the input doesn't satisfy the constraints specified by the service.
`403`	`AccessDeniedException`	The request was denied because you don't have sufficient access to the specified resource.
`429`	`ThrottlingException`	The request failed because you sent too many requests during a certain amount of time.
`500`	`InternalServerException`	The request failed due to an unknown internal server error, exception, or failure.

PUT

Operation ID: UpdateAutomatedDiscoveryConfiguration

Changes the configuration settings and status of automated sensitive data discovery for an organization or standalone account.

Responses
Status code	Response model	Description
`200`	`Empty Schema`	The request succeeded. The status was updated and there isn't any content to include in the body of the response (No Content).
`400`	`ValidationException`	The request failed because the input doesn't satisfy the constraints specified by the service.
`403`	`AccessDeniedException`	The request was denied because you don't have sufficient access to the specified resource.
`429`	`ThrottlingException`	The request failed because you sent too many requests during a certain amount of time.
`500`	`InternalServerException`	The request failed due to an unknown internal server error, exception, or failure.

Schemas

Request bodies


{
  "autoEnableOrganizationMembers": enum,
  "status": enum
}

Response bodies


{
  "autoEnableOrganizationMembers": enum,
  "classificationScopeId": "string",
  "disabledAt": "string",
  "firstEnabledAt": "string",
  "lastUpdatedAt": "string",
  "sensitivityInspectionTemplateId": "string",
  "status": enum
}

{
}


{
  "message": "string"
}


{
  "message": "string"
}


{
  "message": "string"
}


{
  "message": "string"
}

Properties

AccessDeniedException

Provides information about an error that occurred due to insufficient access to a specified resource.

Property	Type	Required	Description
`message`	string	False	The explanation of the error that occurred.

AutoEnableMode

Specifies whether to automatically enable automated sensitive data discovery for accounts that are part of an organization in Amazon Macie. Valid values are:

ALL
NEW
NONE

AutomatedDiscoveryStatus

The status of the automated sensitive data discovery configuration for an organization in Amazon Macie or a standalone Macie account. Valid values are:

ENABLED
DISABLED

Empty

The request succeeded and there isn't any content to include in the body of the response (No Content).

GetAutomatedDiscoveryConfigurationResponse

Provides information about the configuration settings and status of automated sensitive data discovery for an organization in Amazon Macie or a standalone Macie account.

Property	Type	Required	Description
`autoEnableOrganizationMembers`	AutoEnableMode	False	Specifies whether automated sensitive data discovery is enabled automatically for accounts in the organization. Possible values are: `ALL`, enable it for all existing accounts and new member accounts; `NEW`, enable it only for new member accounts; and, `NONE`, don't enable it for any accounts.
`classificationScopeId`	string	False	The unique identifier for the classification scope that's used when performing automated sensitive data discovery. The classification scope specifies S3 buckets to exclude from analyses.
`disabledAt`	string	False	The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was most recently disabled. This value is null if automated sensitive data discovery is currently enabled.
`firstEnabledAt`	string	False	The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was initially enabled. This value is null if automated sensitive data discovery has never been enabled.
`lastUpdatedAt`	string	False	The date and time, in UTC and extended ISO 8601 format, when the configuration settings or status of automated sensitive data discovery was most recently changed.
`sensitivityInspectionTemplateId`	string	False	The unique identifier for the sensitivity inspection template that's used when performing automated sensitive data discovery. The template specifies which allow lists, custom data identifiers, and managed data identifiers to use when analyzing data.
`status`	AutomatedDiscoveryStatus	False	The current status of automated sensitive data discovery for the organization or account. Possible values are: `ENABLED`, use the specified settings to perform automated sensitive data discovery activities; and, `DISABLED`, don't perform automated sensitive data discovery activities.

InternalServerException

Provides information about an error that occurred due to an unknown internal server error, exception, or failure.

Property	Type	Required	Description
`message`	string	False	The explanation of the error that occurred.

ThrottlingException

Provides information about an error that occurred because too many requests were sent during a certain amount of time.

Property	Type	Required	Description
`message`	string	False	The explanation of the error that occurred.

UpdateAutomatedDiscoveryConfigurationRequest

Changes the configuration settings and status of automated sensitive data discovery for an organization in Amazon Macie or a standalone Macie account. To change additional settings, such as the managed data identifiers to use when analyzing data, update the sensitivity inspection template and classification scope for the organization's Macie administrator account or the standalone account.

Property Type Required Description

Property	Type	Required	Description
`autoEnableOrganizationMembers`	AutoEnableMode	False	Specifies whether to automatically enable automated sensitive data discovery for accounts in the organization. Valid values are: `ALL` (default), enable it for all existing accounts and new member accounts; `NEW`, enable it only for new member accounts; and, `NONE`, don't enable it for any accounts. If you specify `NEW` or `NONE`, automated sensitive data discovery continues to be enabled for any existing accounts that it's currently enabled for. To enable or disable it for individual member accounts, specify `NEW` or `NONE`, and then enable or disable it for each account by using the `BatchUpdateAutomatedDiscoveryAccounts` operation.
`status`	AutomatedDiscoveryStatus	True	The new status of automated sensitive data discovery for the organization or account. Valid values are: `ENABLED`, start or resume all automated sensitive data discovery activities; and, `DISABLED`, stop performing all automated sensitive data discovery activities. If you specify `DISABLED` for an administrator account, you also disable automated sensitive data discovery for all member accounts in the organization.

autoEnableOrganizationMembers

AutoEnableMode

False

Specifies whether to automatically enable automated sensitive data discovery for accounts in the organization. Valid values are: ALL (default), enable it for all existing accounts and new member accounts; NEW, enable it only for new member accounts; and, NONE, don't enable it for any accounts.

If you specify NEW or NONE, automated sensitive data discovery continues to be enabled for any existing accounts that it's currently enabled for. To enable or disable it for individual member accounts, specify NEW or NONE, and then enable or disable it for each account by using the BatchUpdateAutomatedDiscoveryAccounts operation.

status

AutomatedDiscoveryStatus

True

The new status of automated sensitive data discovery for the organization or account. Valid values are: ENABLED, start or resume all automated sensitive data discovery activities; and, DISABLED, stop performing all automated sensitive data discovery activities.

If you specify DISABLED for an administrator account, you also disable automated sensitive data discovery for all member accounts in the organization.

ValidationException

Provides information about an error that occurred due to a syntax error in a request.

Property	Type	Required	Description
`message`	string	False	The explanation of the error that occurred.