AWS::Macie::CustomDataIdentifier
The AWS::Macie::CustomDataIdentifier resource specifies a custom data
identifier. A custom data identifier is a set of custom criteria
for Amazon Macie to use when it inspects data sources for sensitive data.
The criteria consist of a regular expression (regex) that defines a
text pattern to match and, optionally, character sequences and a proximity rule that
refine the results. The character sequences can be:
-
Keywords, which are words or phrases that must be in proximity of text that matches the regex, or
-
Ignore words, which are words or phrases to exclude from the results.
By using custom data identifiers, you can supplement the managed data identifiers that Macie provides and detect sensitive data that reflects your particular scenarios, intellectual property, or proprietary data. For more information, see Building custom data identifiers in the Amazon Macie User Guide.
An AWS::Macie::Session resource must exist for an AWS account before you can create an
AWS::Macie::CustomDataIdentifier resource for the account. Use a DependsOn
attribute to ensure that an AWS::Macie::Session resource is
created before other Macie resources are created for an account. For
example, "DependsOn": "Session".
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Macie::CustomDataIdentifier", "Properties" : { "Description" :String, "IgnoreWords" :[ String, ... ], "Keywords" :[ String, ... ], "MaximumMatchDistance" :Integer, "Name" :String, "Regex" :String, "Tags" :[ Tag, ... ]} }
YAML
Type: AWS::Macie::CustomDataIdentifier Properties: Description:StringIgnoreWords:- StringKeywords:- StringMaximumMatchDistance:IntegerName:StringRegex:StringTags:- Tag
Properties
Description-
A custom description of the custom data identifier. The description can contain 1-512 characters.
Avoid including sensitive data in the description. Users of the account might be able to see the description, depending on the actions that they're allowed to perform in Amazon Macie.
Required: No
Type: String
Update requires: Replacement
IgnoreWords-
An array of character sequences (ignore words) to exclude from the results. If text matches the regular expression (
Regex) but it contains a string in this array, Amazon Macie ignores the text and doesn't include it in the results.The array can contain 1-10 ignore words. Each ignore word can contain 4-90 UTF-8 characters. Ignore words are case sensitive.
Required: No
Type: Array of String
Update requires: Replacement
Keywords-
An array of character sequences (keywords), one of which must precede and be in proximity (
MaximumMatchDistance) of the regular expression (Regex) to match.The array can contain 1-50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.
Required: No
Type: Array of String
Update requires: Replacement
MaximumMatchDistance-
The maximum number of characters that can exist between the end of at least one complete character sequence specified by the
Keywordsarray and the end of text that matches the regular expression (Regex). If a complete keyword precedes all the text that matches the regular expression and the keyword is within the specified distance, Amazon Macie includes the result.The distance can be 1-300 characters. The default value is 50.
Required: No
Type: Integer
Update requires: Replacement
Name-
A custom name for the custom data identifier. The name can contain 1-128 characters.
Avoid including sensitive data in the name of a custom data identifier. Users of the account might be able to see the name, depending on the actions that they're allowed to perform in Amazon Macie.
Required: Yes
Type: String
Update requires: Replacement
Regex-
The regular expression (regex) that defines the text pattern to match. The expression can contain 1-512 characters.
Required: Yes
Type: String
Update requires: Replacement
-
An array of key-value pairs to apply to the custom data identifier.
For more information, see Resource tag.
Required: No
Type: Array of Tag
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the CustomDataIdentifier. For
example, { "Ref": "CustomDataIdentifier" }
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Arn-
The Amazon Resource Name (ARN) of the custom data identifier.
Id-
The unique identifier for the custom data identifier.
Examples
The following example demonstrates how to declare an
AWS::Macie::CustomDataIdentifier resource.
Creating a custom data identifier
This example creates a custom data identifier that detects six-digit character
sequences that are in proximity of certain keywords, as specified by the
Keywords array. If a match is a sample value, as specified by
the IgnoreWords array, Amazon Macie excludes that match
from the results.
JSON
{ "Type": "AWS::Macie::CustomDataIdentifier", "DependsOn": "Session", "Properties": { "Description": "My custom data identifier", "IgnoreWords": [ "000000", "123456" ], "Keywords": [ "employeeID", "employee ID" ], "MaximumMatchDistance": 20, "Name": "EmployeeIDCustomDataIdentifier", "Regex": "\\d{6}", "Tags": [ { "Key": "Stack", "Value": "Production" } ] } }
YAML
Type: 'AWS::Macie::CustomDataIdentifier' DependsOn: Session Properties: Description: My custom data identifier IgnoreWords: - '000000' - '123456' Keywords: - 'employeeID' - 'employee ID' MaximumMatchDistance: 20 Name: EmployeeIDCustomDataIdentifier Regex: '\\d{6}' Tags: - Key: Stack Value: Production
