Data Sources - Amazon S3 Statistics - Amazon Macie

Data Sources - Amazon S3 Statistics

The Amazon S3 Data Source Statistics resource provides aggregated statistical data for all the Amazon Simple Storage Service (Amazon S3) buckets that Amazon Macie monitors and analyzes for your account. This includes data for key security metrics such as the number of buckets that are publicly accessible, don't encrypt new objects by default, or are shared with other AWS accounts.

You can use the Amazon S3 Data Source Statistics resource to retrieve (query) aggregated data for security metrics that apply to all the S3 buckets that Macie monitors and analyzes for your account. To retrieve additional types of data for these buckets, use the Amazon S3 Data Sources resource.

URI

/datasources/s3/statistics

HTTP methods

POST

Operation ID: GetBucketStatistics

Retrieves (queries) aggregated statistical data for all the S3 buckets that Amazon Macie monitors and analyzes.

Responses
Status code Response model Description
200 GetBucketStatisticsResponse

The request succeeded.

400 ValidationException

The request failed because it contains a syntax error.

402 ServiceQuotaExceededException

The request failed because fulfilling the request would exceed one or more service quotas for your account.

403 AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

404 ResourceNotFoundException

The request failed because the specified resource wasn't found.

409 ConflictException

The request failed because it conflicts with the current state of the specified resource.

429 ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500 InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

Schemas

Request bodies

{ "accountId": "string" }

Response bodies

{ "bucketCountByObjectEncryptionRequirement": { "deniesUnencryptedObjectUploads": integer, "allowsUnencryptedObjectUploads": integer, "unknown": integer }, "objectCount": integer, "sizeInBytes": integer, "classifiableObjectCount": integer, "classifiableSizeInBytes": integer, "bucketCountBySharedAccessType": { "internal": integer, "external": integer, "notShared": integer, "unknown": integer }, "unclassifiableObjectCount": { "total": integer, "storageClass": integer, "fileType": integer }, "bucketCountByEffectivePermission": { "publiclyWritable": integer, "publiclyReadable": integer, "publiclyAccessible": integer, "unknown": integer }, "lastUpdated": "string", "bucketCount": integer, "bucketCountByEncryptionType": { "kmsManaged": integer, "s3Managed": integer, "unencrypted": integer, "unknown": integer }, "unclassifiableObjectSizeInBytes": { "total": integer, "storageClass": integer, "fileType": integer }, "sizeInBytesCompressed": integer }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }

Properties

AccessDeniedException

Provides information about an error that occurred due to insufficient access to a specified resource.

Property Type Required Description
message

string

False

The explanation of the error that occurred.

BucketCountByEffectivePermission

Provides information about the number of S3 buckets that are publicly accessible based on a combination of permissions settings for each bucket.

Property Type Required Description
publiclyWritable

integer

Format: int64

False

The total number of buckets that allow the general public to have write access to the bucket.

publiclyReadable

integer

Format: int64

False

The total number of buckets that allow the general public to have read access to the bucket.

publiclyAccessible

integer

Format: int64

False

The total number of buckets that allow the general public to have read or write access to the bucket.

unknown

integer

Format: int64

False

The total number of buckets that Amazon Macie wasn't able to evaluate permissions settings for. Macie can't determine whether these buckets are publicly accessible.

BucketCountByEncryptionType

Provides information about the number of S3 buckets that use certain types of server-side encryption by default or don't encrypt new objects by default. For detailed information about these settings, see Setting default server-side encryption behavior for Amazon S3 buckets in the Amazon Simple Storage Service User Guide.

Property Type Required Description
kmsManaged

integer

Format: int64

False

The total number of buckets that use an AWS Key Management Service (AWS KMS) customer master key (CMK) to encrypt new objects by default. These buckets use AWS managed AWS KMS encryption (AWS-KMS) or customer managed AWS KMS encryption (SSE-KMS) by default.

s3Managed

integer

Format: int64

False

The total number of buckets that use an Amazon S3 managed key to encrypt new objects by default. These buckets use Amazon S3 managed encryption (SSE-S3) by default.

unencrypted

integer

Format: int64

False

The total number of buckets that don't encrypt new objects by default. Default encryption is disabled for these buckets.

unknown

integer

Format: int64

False

The total number of buckets that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the default encryption settings for these buckets.

BucketCountBySharedAccessType

Provides information about the number of S3 buckets that are or aren't shared with other AWS accounts.

Property Type Required Description
internal

integer

Format: int64

False

The total number of buckets that are shared with an AWS account that's part of the same Amazon Macie organization.

external

integer

Format: int64

False

The total number of buckets that are shared with an AWS account that isn't part of the same Amazon Macie organization.

notShared

integer

Format: int64

False

The total number of buckets that aren't shared with other AWS accounts.

unknown

integer

Format: int64

False

The total number of buckets that Amazon Macie wasn't able to evaluate shared access settings for. Macie can't determine whether these buckets are shared with other AWS accounts.

BucketCountPolicyAllowsUnencryptedObjectUploads

Provides information about the number of S3 buckets whose bucket policies do or don't require server-side encryption of objects when objects are uploaded to the buckets.

Property Type Required Description
deniesUnencryptedObjectUploads

integer

Format: int64

False

The total number of buckets whose bucket policies require server-side encryption of new objects. PutObject requests for these buckets must include the x-amz-server-side-encryption header and the value for that header must be AES256 or aws:kms.

allowsUnencryptedObjectUploads

integer

Format: int64

False

The total number of buckets that don't have a bucket policy or have a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, the policy doesn't require PutObject requests to include the x-amz-server-side-encryption header and it doesn't require the value for that header to be AES256 or aws:kms.

unknown

integer

Format: int64

False

The total number of buckets that Amazon Macie wasn't able to evaluate server-side encryption requirements for. Macie can't determine whether the bucket policies for these buckets require server-side encryption of new objects.

ConflictException

Provides information about an error that occurred due to a versioning conflict for a specified resource.

Property Type Required Description
message

string

False

The explanation of the error that occurred.

GetBucketStatisticsRequest

Specifies the account that owns the S3 buckets to retrieve aggregated statistical data for.

Property Type Required Description
accountId

string

False

The unique identifier for the AWS account.

GetBucketStatisticsResponse

Provides the results of a query that retrieved aggregated statistical data for all the S3 buckets that Amazon Macie monitors and analyzes for an account.

Property Type Required Description
bucketCountByObjectEncryptionRequirement

BucketCountPolicyAllowsUnencryptedObjectUploads

False

The total number of buckets whose bucket policies do or don't require server-side encryption of objects when objects are uploaded to the buckets.

objectCount

integer

Format: int64

False

The total number of objects in the buckets.

sizeInBytes

integer

Format: int64

False

The total storage size, in bytes, of the buckets.

If versioning is enabled for any of the buckets, Macie calculates this value based on the size of the latest version of each object in those buckets. This value doesn't reflect the storage size of all versions of the objects in the buckets.

classifiableObjectCount

integer

Format: int64

False

The total number of objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.

classifiableSizeInBytes

integer

Format: int64

False

The total storage size, in bytes, of all the objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.

If versioning is enabled for any of the buckets, Macie calculates this value based on the size of the latest version of each applicable object in those buckets. This value doesn't reflect the storage size of all versions of all applicable objects in the buckets.

bucketCountBySharedAccessType

BucketCountBySharedAccessType

False

The total number of buckets that are or aren't shared with another AWS account.

unclassifiableObjectCount

ObjectLevelStatistics

False

The total number of objects that Amazon Macie can't analyze in the buckets. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

bucketCountByEffectivePermission

BucketCountByEffectivePermission

False

The total number of buckets that are publicly accessible based on a combination of permissions settings for each bucket.

lastUpdated

string

Format: date-time

False

The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved both bucket and object metadata from Amazon S3 for the buckets.

bucketCount

integer

Format: int64

False

The total number of buckets.

bucketCountByEncryptionType

BucketCountByEncryptionType

False

The total number of buckets that use certain types of server-side encryption to encrypt new objects by default. This object also reports the total number of buckets that don't encrypt new objects by default.

unclassifiableObjectSizeInBytes

ObjectLevelStatistics

False

The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the buckets. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

sizeInBytesCompressed

integer

Format: int64

False

The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the buckets.

If versioning is enabled for any of the buckets, Macie calculates this value based on the size of the latest version of each applicable object in those buckets. This value doesn't reflect the storage size of all versions of the applicable objects in the buckets.

InternalServerException

Provides information about an error that occurred due to an unknown internal server error, exception, or failure.

Property Type Required Description
message

string

False

The explanation of the error that occurred.

ObjectLevelStatistics

Provides information about the total storage size (in bytes) or number of objects that Amazon Macie can't analyze in one or more S3 buckets. In a BucketMetadata or MatchingBucket object, this data is for a specific bucket. In a GetBucketStatisticsResponse object, this data is aggregated for all the buckets in the query results. If versioning is enabled for a bucket, total storage size values are based on the size of the latest version of each applicable object in the bucket.

Property Type Required Description
total

integer

Format: int64

False

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.

storageClass

integer

Format: int64

False

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.

fileType

integer

Format: int64

False

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.

ResourceNotFoundException

Provides information about an error that occurred because a specified resource wasn't found.

Property Type Required Description
message

string

False

The explanation of the error that occurred.

ServiceQuotaExceededException

Provides information about an error that occurred due to one or more service quotas for an account.

Property Type Required Description
message

string

False

The explanation of the error that occurred.

ThrottlingException

Provides information about an error that occurred because too many requests were sent during a certain amount of time.

Property Type Required Description
message

string

False

The explanation of the error that occurred.

ValidationException

Provides information about an error that occurred due to a syntax error in a request.

Property Type Required Description
message

string

False

The explanation of the error that occurred.

See also

For more information about using this API in one of the language-specific AWS SDKs and references, see the following:

GetBucketStatistics