Data Sources - Amazon S3 Statistics - Amazon Macie

Data Sources - Amazon S3 Statistics

The Amazon S3 Data Source Statistics resource provides aggregated statistical data for all the Amazon Simple Storage Service (Amazon S3) buckets that Amazon Macie monitors and analyzes for your account. This includes data for key security metrics such as the number of buckets that are publicly accessible, don't encrypt new objects by default, or are shared with other AWS accounts.

You can use the Amazon S3 Data Source Statistics resource to retrieve (query) aggregated data for security metrics that apply to all the S3 buckets that Macie monitors and analyzes for your account. To retrieve additional data for these buckets, use the Amazon S3 Data Sources resource.

URI

/datasources/s3/statistics

HTTP methods

POST

Operation ID: GetBucketStatistics

Retrieves (queries) aggregated statistical data about S3 buckets that Amazon Macie monitors and analyzes.

Responses
Status codeResponse modelDescription
200GetBucketStatisticsResponse

The request succeeded.

400ValidationException

The request failed because it contains a syntax error.

402ServiceQuotaExceededException

The request failed because fulfilling the request would exceed one or more service quotas for your account.

403AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

404ResourceNotFoundException

The request failed because the specified resource wasn't found.

409ConflictException

The request failed because it conflicts with the current state of the specified resource.

429ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

Schemas

Request bodies

{ "accountId": "string" }

Response bodies

{ "bucketCountByObjectEncryptionRequirement": { "deniesUnencryptedObjectUploads": integer, "allowsUnencryptedObjectUploads": integer, "unknown": integer }, "objectCount": integer, "sizeInBytes": integer, "classifiableObjectCount": integer, "classifiableSizeInBytes": integer, "bucketCountBySharedAccessType": { "internal": integer, "external": integer, "notShared": integer, "unknown": integer }, "unclassifiableObjectCount": { "total": integer, "storageClass": integer, "fileType": integer }, "bucketCountByEffectivePermission": { "publiclyWritable": integer, "publiclyReadable": integer, "publiclyAccessible": integer, "unknown": integer }, "lastUpdated": "string", "bucketCount": integer, "bucketCountByEncryptionType": { "kmsManaged": integer, "s3Managed": integer, "unencrypted": integer, "unknown": integer }, "unclassifiableObjectSizeInBytes": { "total": integer, "storageClass": integer, "fileType": integer }, "sizeInBytesCompressed": integer }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }

Properties

AccessDeniedException

Provides information about an error that occurred due to insufficient access to a specified resource.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

BucketCountByEffectivePermission

Provides information about the number of S3 buckets that are publicly accessible based on a combination of permissions settings for each bucket.

PropertyTypeRequiredDescription
publiclyAccessible

integer

Format: int64

False

The total number of buckets that allow the general public to have read or write access to the bucket.

publiclyReadable

integer

Format: int64

False

The total number of buckets that allow the general public to have read access to the bucket.

publiclyWritable

integer

Format: int64

False

The total number of buckets that allow the general public to have write access to the bucket.

unknown

integer

Format: int64

False

The total number of buckets that Amazon Macie wasn't able to evaluate permissions settings for. Macie can't determine whether these buckets are publicly accessible.

BucketCountByEncryptionType

Provides information about the number of S3 buckets that use certain types of server-side encryption by default or don't encrypt new objects by default. For detailed information about these settings, see Setting default server-side encryption behavior for Amazon S3 buckets in the Amazon Simple Storage Service User Guide.

PropertyTypeRequiredDescription
kmsManaged

integer

Format: int64

False

The total number of buckets that use an AWS KMS key to encrypt new objects by default, either an AWS managed key or a customer managed key. These buckets use AWS KMS encryption (SSE-KMS) by default.

s3Managed

integer

Format: int64

False

The total number of buckets that use an Amazon S3 managed key to encrypt new objects by default. These buckets use Amazon S3 managed encryption (SSE-S3) by default.

unencrypted

integer

Format: int64

False

The total number of buckets that don't encrypt new objects by default. Default encryption is disabled for these buckets.

unknown

integer

Format: int64

False

The total number of buckets that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the default encryption settings for these buckets.

BucketCountBySharedAccessType

Provides information about the number of S3 buckets that are or aren't shared with other AWS accounts.

PropertyTypeRequiredDescription
external

integer

Format: int64

False

The total number of buckets that are shared with an AWS account that isn't part of the same Amazon Macie organization.

internal

integer

Format: int64

False

The total number of buckets that are shared with an AWS account that's part of the same Amazon Macie organization.

notShared

integer

Format: int64

False

The total number of buckets that aren't shared with other AWS accounts.

unknown

integer

Format: int64

False

The total number of buckets that Amazon Macie wasn't able to evaluate shared access settings for. Macie can't determine whether these buckets are shared with other AWS accounts.

BucketCountPolicyAllowsUnencryptedObjectUploads

Provides information about the number of S3 buckets whose bucket policies do or don't require server-side encryption of objects when objects are uploaded to the buckets.

PropertyTypeRequiredDescription
allowsUnencryptedObjectUploads

integer

Format: int64

False

The total number of buckets that don't have a bucket policy or have a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, the policy doesn't require PutObject requests to include a valid server-side encryption header: the x-amz-server-side-encryption header with a value of AES256 or aws:kms, or the x-amz-server-side-encryption-customer-algorithm header with a value of AES256.

deniesUnencryptedObjectUploads

integer

Format: int64

False

The total number of buckets whose bucket policies require server-side encryption of new objects. PutObject requests for these buckets must include a valid server-side encryption header: the x-amz-server-side-encryption header with a value of AES256 or aws:kms, or the x-amz-server-side-encryption-customer-algorithm header with a value of AES256.

unknown

integer

Format: int64

False

The total number of buckets that Amazon Macie wasn't able to evaluate server-side encryption requirements for. Macie can't determine whether the bucket policies for these buckets require server-side encryption of new objects.

ConflictException

Provides information about an error that occurred due to a versioning conflict for a specified resource.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

GetBucketStatisticsRequest

Specifies the account that owns the S3 buckets to retrieve aggregated statistical data for.

PropertyTypeRequiredDescription
accountId

string

False

The unique identifier for the AWS account.

GetBucketStatisticsResponse

Provides the results of a query that retrieved aggregated statistical data for all the S3 buckets that Amazon Macie monitors and analyzes for your account.

PropertyTypeRequiredDescription
bucketCount

integer

Format: int64

False

The total number of buckets.

bucketCountByEffectivePermission

BucketCountByEffectivePermission

False

The total number of buckets that are publicly accessible based on a combination of permissions settings for each bucket.

bucketCountByEncryptionType

BucketCountByEncryptionType

False

The total number of buckets that use certain types of server-side encryption to encrypt new objects by default. This object also reports the total number of buckets that don't encrypt new objects by default.

bucketCountByObjectEncryptionRequirement

BucketCountPolicyAllowsUnencryptedObjectUploads

False

The total number of buckets whose bucket policies do or don't require server-side encryption of objects when objects are uploaded to the buckets.

bucketCountBySharedAccessType

BucketCountBySharedAccessType

False

The total number of buckets that are or aren't shared with another AWS account.

classifiableObjectCount

integer

Format: int64

False

The total number of objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.

classifiableSizeInBytes

integer

Format: int64

False

The total storage size, in bytes, of all the objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.

If versioning is enabled for any of the buckets, Macie calculates this value based on the size of the latest version of each applicable object in those buckets. This value doesn't reflect the storage size of all versions of all applicable objects in the buckets.

lastUpdated

string

Format: date-time

False

The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved both bucket and object metadata from Amazon S3 for the buckets.

objectCount

integer

Format: int64

False

The total number of objects in the buckets.

sizeInBytes

integer

Format: int64

False

The total storage size, in bytes, of the buckets.

If versioning is enabled for any of the buckets, Amazon Macie calculates this value based on the size of the latest version of each object in those buckets. This value doesn't reflect the storage size of all versions of the objects in the buckets.

sizeInBytesCompressed

integer

Format: int64

False

The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the buckets.

If versioning is enabled for any of the buckets, Amazon Macie calculates this value based on the size of the latest version of each applicable object in those buckets. This value doesn't reflect the storage size of all versions of the applicable objects in the buckets.

unclassifiableObjectCount

ObjectLevelStatistics

False

The total number of objects that Amazon Macie can't analyze in the buckets. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

unclassifiableObjectSizeInBytes

ObjectLevelStatistics

False

The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the buckets. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

InternalServerException

Provides information about an error that occurred due to an unknown internal server error, exception, or failure.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ObjectLevelStatistics

Provides information about the total storage size (in bytes) or number of objects that Amazon Macie can't analyze in one or more S3 buckets. In a BucketMetadata or MatchingBucket object, this data is for a specific bucket. In a GetBucketStatisticsResponse object, this data is aggregated for the buckets in the query results. If versioning is enabled for a bucket, total storage size values are based on the size of the latest version of each applicable object in the bucket.

PropertyTypeRequiredDescription
fileType

integer

Format: int64

False

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.

storageClass

integer

Format: int64

False

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.

total

integer

Format: int64

False

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.

ResourceNotFoundException

Provides information about an error that occurred because a specified resource wasn't found.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ServiceQuotaExceededException

Provides information about an error that occurred due to one or more service quotas for an account.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ThrottlingException

Provides information about an error that occurred because too many requests were sent during a certain amount of time.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ValidationException

Provides information about an error that occurred due to a syntax error in a request.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

See also

For more information about using this API in one of the language-specific AWS SDKs and references, see the following:

GetBucketStatistics