Classification Scope - Amazon Macie

Classification Scope

The Classification Scope resource provides access to the settings of the classification scope for your account. The classification scope specifies Amazon Simple Storage Service (Amazon S3) buckets that you don't want Amazon Macie to analyze when it performs automated sensitive data discovery for your account. It defines an S3 bucket exclusion list for automated sensitive data discovery. For more information, see Performing automated sensitive data discovery in the Amazon Macie User Guide.

The first time you enable automated sensitive data discovery for your account, Macie automatically creates the classification scope for your account. Macie then uses the settings specified by the classification scope to determine which S3 buckets to exclude from analyses. You can customize the settings by adding and removing buckets from the list of buckets to exclude. For example, you might exclude buckets that typically store AWS logging data, such as a bucket that stores AWS CloudTrail event logs. By default, Macie analyzes data in all the buckets for your account. If your account is the Macie administrator account for an organization, this includes buckets that member accounts own.

If automated sensitive data discovery is currently enabled for your account, you can use the Classification Scope resource to retrieve or update the classification scope settings for your account. To use this resource, you have to specify the unique identifier for the classification scope for your account. To obtain this identifier, use the Classification Scopes resource. In addition, automated sensitive data discovery must be enabled for your account. To enable automated sensitive data discovery for your account, use the Automated Sensitive Data Discovery Configuration resource.

URI

/classification-scopes/id

HTTP methods

GET

Operation ID: GetClassificationScope

Retrieves the classification scope settings for an account.

Path parameters
NameTypeRequiredDescription
idStringTrue

The unique identifier for the Amazon Macie resource that the request applies to.

Responses
Status codeResponse modelDescription
200GetClassificationScopeResponse

The request succeeded.

400ValidationException

The request failed because the input doesn't satisfy the constraints specified by the service.

403AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

404ResourceNotFoundException

The request failed because the specified resource wasn't found.

429ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

PATCH

Operation ID: UpdateClassificationScope

Updates the classification scope settings for an account.

Path parameters
NameTypeRequiredDescription
idStringTrue

The unique identifier for the Amazon Macie resource that the request applies to.

Responses
Status codeResponse modelDescription
200Empty Schema

The request succeeded. The specified settings were updated and there isn't any content to include in the body of the response (No Content).

400ValidationException

The request failed because the input doesn't satisfy the constraints specified by the service.

403AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

404ResourceNotFoundException

The request failed because the specified resource wasn't found.

429ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

Schemas

Request bodies

{ "s3": { "excludes": { "bucketNames": [ "string" ], "operation": enum } } }

Response bodies

{ "id": "string", "name": "string", "s3": { "excludes": { "bucketNames": [ "string" ] } } }
{ }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }

Properties

AccessDeniedException

Provides information about an error that occurred due to insufficient access to a specified resource.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ClassificationScopeUpdateOperation

Specifies how to apply changes to the S3 bucket exclusion list defined by the classification scope for an Amazon Macie account. Valid values are:

  • ADD

  • REPLACE

  • REMOVE

Empty

The request succeeded and there isn't any content to include in the body of the response (No Content).

GetClassificationScopeResponse

Provides information about the classification scope settings for an Amazon Macie account. Macie uses these settings when it performs automated sensitive data discovery for the account.

PropertyTypeRequiredDescription
id

string

False

The unique identifier for the classification scope.

name

string

False

The name of the classification scope: automated-sensitive-data-discovery.

s3

S3ClassificationScope

False

The S3 buckets that are excluded from automated sensitive data discovery.

InternalServerException

Provides information about an error that occurred due to an unknown internal server error, exception, or failure.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ResourceNotFoundException

Provides information about an error that occurred because a specified resource wasn't found.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

S3ClassificationScope

Specifies the S3 buckets that are excluded from automated sensitive data discovery for an Amazon Macie account.

PropertyTypeRequiredDescription
excludes

S3ClassificationScopeExclusion

True

The S3 buckets that are excluded.

S3ClassificationScopeExclusion

Specifies the names of the S3 buckets that are excluded from automated sensitive data discovery.

PropertyTypeRequiredDescription
bucketNames

Array of type string

True

An array of strings, one for each S3 bucket that is excluded. Each string is the full name of an excluded bucket.

S3ClassificationScopeExclusionUpdate

Specifies S3 buckets to add or remove from the exclusion list defined by the classification scope for an Amazon Macie account.

PropertyTypeRequiredDescription
bucketNames

Array of type string

True

Depending on the value specified for the update operation (ClassificationScopeUpdateOperation), an array of strings that: lists the names of buckets to add or remove from the list, or specifies a new set of bucket names that overwrites all existing names in the list. Each string must be the full name of an S3 bucket. Values are case sensitive.

operation

ClassificationScopeUpdateOperation

True

Specifies how to apply the changes to the exclusion list. Valid values are:

  • ADD - Append the specified bucket names to the current list.

  • REMOVE - Remove the specified bucket names from the current list.

  • REPLACE - Overwrite the current list with the specified list of bucket names. If you specify this value, Amazon Macie removes all existing names from the list and adds all the specified names to the list.

S3ClassificationScopeUpdate

Specifies changes to the list of S3 buckets that are excluded from automated sensitive data discovery for an Amazon Macie account.

PropertyTypeRequiredDescription
excludes

S3ClassificationScopeExclusionUpdate

True

The names of the S3 buckets to add or remove from the list.

ThrottlingException

Provides information about an error that occurred because too many requests were sent during a certain amount of time.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

UpdateClassificationScopeRequest

Specifies new classification scope settings for an Amazon Macie account. Macie uses these settings when it performs automated sensitive data discovery for the account. To update the settings, automated sensitive data discovery must currently be enabled for the account.

PropertyTypeRequiredDescription
s3

S3ClassificationScopeUpdate

False

The S3 buckets to add or remove from the exclusion list defined by the classification scope.

ValidationException

Provides information about an error that occurred due to a syntax error in a request.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

See also

For more information about using this API in one of the language-specific AWS SDKs and references, see the following:

GetClassificationScope

UpdateClassificationScope