AWS::Macie::CustomDataIdentifier - AWS CloudFormation

AWS::Macie::CustomDataIdentifier

The AWS::Macie::CustomDataIdentifier resource is a set of criteria that you define to detect sensitive data in one or more data sources. Each identifier specifies a regular expression (regex) that defines a text pattern to match in the data. It can also specify character sequences, such as words and phrases, and a proximity rule that refine the analysis of a data source. By using custom data identifiers, you can tailor your analysis to meet your organization's specific needs and supplement the built-in, managed data identifiers that Amazon Macie provides.

A Session must exist for the account before you can create a CustomDataIdentifier. Use a DependsOn attribute to ensure that the Session is created before the other resources. For example, "DependsOn: Session".

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Macie::CustomDataIdentifier", "Properties" : { "Description" : String, "IgnoreWords" : [ String, ... ], "Keywords" : [ String, ... ], "MaximumMatchDistance" : Integer, "Name" : String, "Regex" : String } }

YAML

Type: AWS::Macie::CustomDataIdentifier Properties: Description: String IgnoreWords: - String Keywords: - String MaximumMatchDistance: Integer Name: String Regex: String

Properties

Description

The description of the custom data identifier. The description can contain as many as 512 characters.

Required: No

Type: String

Update requires: Replacement

IgnoreWords

An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression is the same as any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4-90 characters. Ignore words are case sensitive.

Required: No

Type: List of String

Update requires: Replacement

Keywords

An array that lists specific character sequences (keywords), one of which must be within proximity (MaximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3-90 characters. Keywords aren't case sensitive.

Required: No

Type: List of String

Update requires: Replacement

MaximumMatchDistance

The maximum number of characters that can exist between text that matches the regex pattern and the character sequences specified by the Keywords array. Amazon Macie includes or excludes a result based on the proximity of a keyword to text that matches the regex pattern. The distance can be 1-300 characters. The default value is 50.

Required: No

Type: Integer

Update requires: Replacement

Name

A custom name for the custom data identifier. The name can contain as many as 128 characters.

We strongly recommend that you avoid including any sensitive data in the name of a custom data identifier. Other users of your account might be able to see the identifier's name, depending on the actions that they're allowed to perform in Amazon Macie.

Required: Yes

Type: String

Update requires: Replacement

Regex

The regular expression (regex) that defines the pattern to match. The expression can contain as many as 512 characters.

Required: Yes

Type: String

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the CustomDataIdentifier. For example, { "Ref": "CustomDataIdentifier" }

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

The Amazon Resource Name (ARN) of the custom data identifier.

Id

The unique identifier for the custom data identifier.

Examples

The following example demonstrates how to declare an AWS::Macie::CustomDataIdentifier resource.

Creating a custom data identifier

This example creates a custom data identifier that detects six-digit employee IDs that are located near the specified keywords. If the match is a sample value, such as those provided in the ignore words, it is skipped.

JSON

{ "Type": "AWS::Macie::CustomDataIdentifier", "DependsOn": "Session", "Properties": { "Description": "My custom data identifier", "IgnoreWords": [ "000000", "123456" ], "Keywords": [ "employeeID", "employee ID" ], "MaximumMatchDistance": 20, "Name": "EmployeeIDCustomDataIdentifier", "Regex": "\\d{6}" } }

YAML

Type: AWS::Macie::CustomDataIdentifier DependsOn: "Session" Properties: Description: "My custom data identifier" IgnoreWords: - "000000" - "123456" Keywords: - "employeeID" - "Employee ID" MaximumMatchDistance: 20 Name: EmployeeIDCustomDataIdentifier Regex: "\\d{6}"