Classification Results - Export Configuration - Amazon Macie

Classification Results - Export Configuration

The Export Configuration resource for classification results provides access to settings for storing data classification results in an Amazon Simple Storage Service (Amazon S3) bucket. A data classification result, also referred to as a sensitive data discovery result, is a record that logs details about the analysis that Amazon Macie performed on an Amazon S3 object to determine whether the object contains sensitive data.

When you run a classification job or Macie performs automated sensitive data discovery, Macie automatically creates a data classification result for each S3 object that's included in the scope of the analysis. This includes objects that Macie doesn't find sensitive data in, and therefore don't produce findings, and objects that Macie can't analyze due to issues such as permissions settings. Data classification results provide you with analysis records that can be helpful for data privacy and protection audits or investigations. You can configure Macie to store these records in an S3 bucket and encrypt them with an AWS Key Management Service (AWS KMS) key. For more information, see Storing and retaining sensitive data discovery results in the Amazon Macie User Guide.

If you use Macie in multiple AWS Regions, configure these settings for each Region in which you use Macie. You can optionally store data classification results for multiple Regions in the same S3 bucket. However, note the following requirements:

  • To store the results for a Region that AWS enables by default for AWS accounts, such as the US East (N. Virginia) Region, you have to choose a bucket in a Region that's enabled by default. The results can't be stored in a bucket in an opt-in Region (Region that's disabled by default).

  • To store the results for an opt-in Region, such as the Middle East (Bahrain) Region, you have to choose a bucket in that same Region or a Region that's enabled by default. The results can't be stored in a bucket in a different opt-in Region.

To determine whether a Region is enabled by default, see Regions and endpoints in the AWS Identity and Access Management User Guide. In addition to the preceding requirements, also consider whether you want to retrieve samples of sensitive data that Macie reports in individual findings. To retrieve sensitive data samples from an affected S3 object, all of the following resources and data must be stored in the same Region: the affected object, the applicable finding, and the corresponding sensitive data discovery result.

You can use the Export Configuration resource to specify or retrieve information about your configuration settings for storing data classification results in an S3 bucket.

URI

/classification-export-configuration

HTTP methods

GET

Operation ID: GetClassificationExportConfiguration

Retrieves the configuration settings for storing data classification results.

Responses
Status codeResponse modelDescription
200GetClassificationExportConfigurationResponse

The request succeeded.

400ValidationException

The request failed because the input doesn't satisfy the constraints specified by the service.

402ServiceQuotaExceededException

The request failed because fulfilling the request would exceed one or more service quotas for your account.

403AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

404ResourceNotFoundException

The request failed because the specified resource wasn't found.

409ConflictException

The request failed because it conflicts with the current state of the specified resource.

429ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

PUT

Operation ID: PutClassificationExportConfiguration

Creates or updates the configuration settings for storing data classification results.

Responses
Status codeResponse modelDescription
200PutClassificationExportConfigurationResponse

The request succeeded.

400ValidationException

The request failed because the input doesn't satisfy the constraints specified by the service.

402ServiceQuotaExceededException

The request failed because fulfilling the request would exceed one or more service quotas for your account.

403AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

404ResourceNotFoundException

The request failed because the specified resource wasn't found.

409ConflictException

The request failed because it conflicts with the current state of the specified resource.

429ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

Schemas

Request bodies

{ "configuration": { "s3Destination": { "bucketName": "string", "keyPrefix": "string", "kmsKeyArn": "string" } } }

Response bodies

{ "configuration": { "s3Destination": { "bucketName": "string", "keyPrefix": "string", "kmsKeyArn": "string" } } }
{ "configuration": { "s3Destination": { "bucketName": "string", "keyPrefix": "string", "kmsKeyArn": "string" } } }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }

Properties

AccessDeniedException

Provides information about an error that occurred due to insufficient access to a specified resource.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ClassificationExportConfiguration

Specifies where to store data classification results, and the encryption settings to use when storing results in that location. The location must be an S3 bucket.

PropertyTypeRequiredDescription
s3Destination

S3Destination

False

The S3 bucket to store data classification results in, and the encryption settings to use when storing results in that bucket.

ConflictException

Provides information about an error that occurred due to a versioning conflict for a specified resource.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

GetClassificationExportConfigurationResponse

Provides information about the current configuration settings for storing data classification results.

PropertyTypeRequiredDescription
configuration

ClassificationExportConfiguration

False

The location where data classification results are stored, and the encryption settings that are used when storing results in that location.

InternalServerException

Provides information about an error that occurred due to an unknown internal server error, exception, or failure.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

PutClassificationExportConfigurationRequest

Specifies where to store data classification results, and the encryption settings to use when storing results in that location.

PropertyTypeRequiredDescription
configuration

ClassificationExportConfiguration

True

The location to store data classification results in, and the encryption settings to use when storing results in that location.

PutClassificationExportConfigurationResponse

Provides information about updated settings for storing data classification results.

PropertyTypeRequiredDescription
configuration

ClassificationExportConfiguration

False

The location where the data classification results are stored, and the encryption settings that are used when storing results in that location.

ResourceNotFoundException

Provides information about an error that occurred because a specified resource wasn't found.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

S3Destination

Specifies an S3 bucket to store data classification results in, and the encryption settings to use when storing results in that bucket.

PropertyTypeRequiredDescription
bucketName

string

True

The name of the bucket.

keyPrefix

string

False

The path prefix to use in the path to the location in the bucket. This prefix specifies where to store classification results in the bucket.

kmsKeyArn

string

True

The Amazon Resource Name (ARN) of the customer managed AWS KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric encryption AWS KMS key that's enabled in the same AWS Region as the bucket.

ServiceQuotaExceededException

Provides information about an error that occurred due to one or more service quotas for an account.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ThrottlingException

Provides information about an error that occurred because too many requests were sent during a certain amount of time.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ValidationException

Provides information about an error that occurred due to a syntax error in a request.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

See also

For more information about using this API in one of the language-specific AWS SDKs and references, see the following:

GetClassificationExportConfiguration

PutClassificationExportConfiguration