Creating and managing allow lists in Amazon Macie - Amazon Macie

Creating and managing allow lists in Amazon Macie

In Amazon Macie, an allow list defines specific text or a text pattern that you want Macie to ignore when it inspects Amazon Simple Storage Service (Amazon S3) objects for sensitive data. If text matches an entry or pattern in an allow list, Macie doesn’t report the text in sensitive data findings or other types of sensitive data discovery results, even if the text matches the criteria of a managed data identifier or a custom data identifier.

You can create and manage the following types of allow lists in Macie.

Predefined text

Use this type of list to specify words, phrases, and other kinds of character sequences that aren’t sensitive, aren’t likely to change, and don’t necessarily adhere to a common pattern. Examples are the names of public representatives for your organization, specific phone numbers, and specific sample data that your organization uses for testing. If you use this type of list, Macie ignores text that exactly matches an entry in the list.

For this type of list, you create a line-delimited plaintext file that lists specific text to ignore. You then store the file in an S3 bucket and configure settings for Macie to access the list in the bucket. You can then create and configure sensitive data discovery jobs to use the list, or add the list to the automated sensitive data discovery settings for your account. When each job starts to run or the daily, automated discovery analysis cycle starts for your account, Macie retrieves the latest version of the list from Amazon S3 and uses that version of the list as part of its analysis. If Macie finds text that exactly matches an entry in the list, Macie doesn't report that occurrence of text as sensitive data.

Regular expression

Use this type of list to specify a regular expression (regex) that defines a text pattern to ignore. Examples are public phone numbers for your organization, email addresses for your organization’s domain, and patterned sample data that your organization uses for testing. If you use this type of list, Macie ignores text that completely matches the regex pattern defined by the list.

For this type of list, you create a regex that defines a common pattern for text that isn't sensitive but varies or is likely to change. Unlike a list of predefined text, you create and store the regex and all other list settings in Macie. You can then create and configure sensitive data discovery jobs to use the list, or add the list to the automated sensitive data discovery settings for your account. When those jobs run or automated discovery analysis starts for your account, Macie uses the latest version of the regex as part of its analysis. If Macie finds text that completely matches the pattern defined by the list, Macie doesn't report that occurrence of text as sensitive data.

For detailed requirements, recommendations, and examples of each type of list, see Allow list options and requirements. You can create as many as 10 allow lists for your account in each supported AWS Region, up to five allow lists that specify predefined text and up to five allow lists that specify regular expressions. You can create and use allow lists in all the AWS Regions where Macie is currently available except the Asia Pacific (Osaka) Region.

To create and manage allow lists, you can use the Amazon Macie console or the Amazon Macie API. The following topics explain how. For the API, the topics include examples of how to perform these tasks using the AWS Command Line Interface (AWS CLI). You can also perform these tasks by using a current version of another AWS command line tool or an AWS SDK, or by sending HTTPS requests directly to Macie. For information about AWS tools and SDKs, see Tools to Build on AWS.

Creating allow lists

How you create an allow list in Amazon Macie depends on the type of list that you want to create. An allow list can be a file that lists predefined text to ignore, or it can be a regular expression (regex) that defines a text pattern to ignore. Choose the section for the type of list that you want to create.

Before you create this type of allow list in Macie, take the following steps:

  1. By using a text editor, create a line-delimited plaintext file that lists specific text to ignore. For more information, see Syntax requirements for lists of predefined text.

  2. Upload the file to an S3 bucket and note the name of the bucket and the object. You'll need to enter these names when you configure the settings in Macie.

  3. Ensure that the settings for the S3 bucket and object allow you and Macie to retrieve the list from the bucket. For more information, see Storage requirements for lists of predefined text.

  4. If you encrypted the S3 object, ensure that it's encrypted with a key that you and Macie are allowed to use. For more information, see Encryption/Decryption requirements for lists of predefined text.

After you take these steps, you're ready to configure the list's settings in Macie. You can configure the settings by using the Amazon Macie console or the Amazon Macie API.

Console

Follow these steps to configure the settings for an allow list by using the Amazon Macie console.

To configure allow list settings in Macie

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, under Settings, choose Allow lists.

  3. On the Allow lists page, choose Create.

  4. Under Select a list type, choose Predefined text.

  5. Under List settings, use the following options to enter additional settings for the allow list:

    • For Name, enter a name for the list. The name can contain as many as 128 characters.

    • For Description, optionally enter a brief description of the list. The description can contain as many as 512 characters.

    • For S3 bucket name, enter the full name of the bucket that stores the list.

      In Amazon S3, you can find this value in the Name field of the bucket's properties. This value is case sensitive. In addition, don't use wildcard characters or partial values when you enter the name.

    • For S3 object name, enter the full name of the S3 object that stores the list.

      In Amazon S3, you can find this value in the Key field of the object's properties. If the name includes a path, be sure to include the complete path when you enter the name, for example allowlists/macie/mylist.txt. This value is case sensitive. In addition, don't use wildcard characters or partial values when you enter the name.

  6. (Optional) Under Tags, choose Add tag, and then enter as many as 50 tags to assign to the allow list.

    tag is a label that you define and assign to certain types of AWS resources. Each tag consists of a required tag key and an optional tag value. Tags can help you identify, categorize, and manage resources in different ways, such as by purpose, owner, environment, or other criteria. To learn more, see Tagging Amazon Macie resources.

  7. When you finish, choose Create.

Macie tests the list's settings. Macie also verifies that it can retrieve the list from Amazon S3 and parse the list's content. If an error occurs, Macie displays a message that describes the error. For detailed information that can help you troubleshoot the error, see Options and requirements for lists of predefined text. After you address any errors, you can save the list's settings.

API

To configure allow list settings programmatically, use the CreateAllowList operation of the Amazon Macie API and specify the appropriate values for the required parameters.

For the criteria parameter, use an s3WordsList object to specify the name of the S3 bucket (bucketName) and the name of the S3 object (objectKey) that stores the list. To determine the bucket name, refer to the Name field in Amazon S3. To determine the object name, refer to the Key field in Amazon S3. Note that these values are case sensitive. In addition, don't use wildcard characters or partial values when you specify these names.

To configure the settings by using the AWS CLI, run the create-allow-list command and specify the appropriate values for the required parameters. The following examples show how to configure the settings for an allow list that's stored in an S3 bucket named DOC-EXAMPLE-BUCKET. The name of the S3 object that contains the list is allowlists/macie/mylist.txt.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws macie2 create-allow-list \ --criteria '{"s3WordsList":{"bucketName":"DOC-EXAMPLE-BUCKET","objectKey":"allowlists/macie/mylist.txt"}}' \ --name my_allow_list \ --description "Lists public phone numbers and names for Example Corp."

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

C:\> aws macie2 create-allow-list ^ --criteria={\"s3WordsList\":{\"bucketName\":\"DOC-EXAMPLE-BUCKET\",\"objectKey\":\"allowlists/macie/mylist.txt\"}} ^ --name my_allow_list ^ --description "Lists public phone numbers and names for Example Corp."

When you submit your request, Macie tests the list's settings. Macie also verifies that it can retrieve the list from Amazon S3 and parse the list's content. If an error occurs, your request fails and Macie returns a message that describes the error. For detailed information that can help you troubleshoot the error, see Options and requirements for lists of predefined text.

If Macie can retrieve and parse the list, your request succeeds and you receive output similar to the following.

{ "arn": "arn:aws:macie2:us-west-2:123456789012:allow-list/nkr81bmtu2542yyexample", "id": "nkr81bmtu2542yyexample" }

Where arn is the Amazon Resource Name (ARN) of the allow list that was created, and id is the unique identifier for the list.

After you save the list's settings, you can create and configure sensitive data discovery jobs to use the list, or add the list to the automated sensitive data discovery settings for your account. Each time those jobs start to run or the daily, automated discovery analysis cycle starts for your account, Macie retrieves the latest version of the list from Amazon S3. Macie then uses that version of the list when it analyzes data.

When you create an allow list that specifies a regular expression (regex), you define the regex and all other list settings directly in Macie. Macie supports a subset of the regex pattern syntax provided by the Perl Compatible Regular Expressions (PCRE) library. For more information, see Syntax support and recommendations.

You can create this type of list by using the Amazon Macie console or the Amazon Macie API.

Console

Follow these steps to create an allow list by using the Amazon Macie console.

To create an allow list

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, under Settings, choose Allow lists.

  3. On the Allow lists page, choose Create.

  4. Under Select a list type, choose Regular expression.

  5. Under List settings, use the following options to enter additional settings for the allow list:

    • For Name, enter a name for the list. The name can contain as many as 128 characters.

    • For Description, optionally enter a brief description of the list. The description can contain as many as 512 characters.

    • For Regular expression, enter the regex that defines the text pattern to ignore. The regex can contain as many as 512 characters.

  6. (Optional) For Evaluate, enter up to 1,000 characters in the Sample data box, and then choose Test to test the regex. Macie evaluates the sample data and reports the number of occurrences of text that matches the regex. You can repeat this step as many times as you like to refine and optimize the regex.

    Note

    We recommend that you test and refine the regex with multiple sets of sample data. If you create a regex that’s too general, Macie might ignore occurrences of text that you consider sensitive. If a regex is too specific, Macie might not ignore occurrences of text that you don’t consider sensitive.

  7. (Optional) Under Tags, choose Add tag, and then enter as many as 50 tags to assign to the allow list.

    tag is a label that you define and assign to certain types of AWS resources. Each tag consists of a required tag key and an optional tag value. Tags can help you identify, categorize, and manage resources in different ways, such as by purpose, owner, environment, or other criteria. To learn more, see Tagging Amazon Macie resources.

  8. When you finish, choose Create.

Macie tests the list's settings. Macie also tests the regex to verify that it can compile the expression. If an error occurs, Macie displays a message that describes the error. For detailed information that can help you troubleshoot the error, see Options and requirements for regular expressions in allow lists. After you address any errors, you can save the allow list.

API

Before you create this type of allow list in Macie, we recommend that you test and refine the regular expression with multiple sets of sample data. If you create a regex that’s too general, Macie might ignore occurrences of text that you consider sensitive. If a regex is too specific, Macie might not ignore occurrences of text that you don’t consider sensitive.

To test an expression with Macie, you can use the TestCustomDataIdentifier operation of the Amazon Macie API or, for the AWS CLI, run the test-custom-data-identifier command. Macie uses the same underlying code to compile expressions for allow lists and custom data identifiers. If you test an expression in this way, be sure to specify values only for the regex and sampleText parameters. Otherwise, you'll receive inaccurate results.

When you're ready to create this type of allow list, use the CreateAllowList operation of the Amazon Macie API and specify the appropriate values for the required parameters. For the criteria parameter, use the regex field to specify the regular expression that defines the text pattern to ignore. The expression can contain as many as 512 characters.

To create this type of list by using the AWS CLI, run the create-allow-list command and specify the appropriate values for the required parameters. The following examples create an allow list named my_allow_list. The regex is designed to ignore all email addresses that a custom data identifier might otherwise detect for the example.com domain.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws macie2 create-allow-list \ --criteria '{"regex":"[a-z]@example.com"}' \ --name my_allow_list \ --description "Ignores all email addresses for Example Corp."

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

C:\> aws macie2 create-allow-list ^ --criteria={\"regex\":\"[a-z]@example.com\"} ^ --name my_allow_list ^ --description "Ignores all email addresses for Example Corp."

When you submit your request, Macie tests the list's settings. Macie also tests the regex to verify that it can compile the expression. If an error occurs, the request fails and Macie returns a message that describes the error. For detailed information that can help you troubleshoot the error, see Options and requirements for regular expressions in allow lists.

If Macie can compile the expression, the request succeeds and you receive output similar to the following:

{ "arn": "arn:aws:macie2:us-west-2:123456789012:allow-list/km2d4y22hp6rv05example", "id": "km2d4y22hp6rv05example" }

Where arn is the Amazon Resource Name (ARN) of the allow list that was created, and id is the unique identifier for the list.

After you save the list, you can create and configure sensitive data discovery jobs to use it, or add it to the automated sensitive data discovery settings for your account. Each time those jobs start to run or the daily automated discovery analysis cycle starts for your account, Macie retrieves the latest regex for the list. Macie then uses that regex when it analyzes data.

Checking the status of allow lists

It's important to check the status of your allow lists periodically. Otherwise, errors might cause Amazon Macie to produce unexpected results, such as sensitive data findings for text that you specified in a list.

If a sensitive data discovery job starts to run and Macie can't access or use an allow list for the job, the job continues to run. However, Macie doesn't use the list when it inspects S3 objects that you configured the job to analyze. Similarly, if the daily analysis cycle starts for automated sensitive data discovery and Macie can't access or use an allow list for the analysis, the analysis continues but Macie doesn't use the list.

Errors are unlikely to occur for an allow list that specifies a regular expression (regex). This is partly because Macie automatically tests the regex when you create or update the list's settings. In addition, you store the regex and all other list settings in Macie.

However, errors can occur for an allow list that specifies predefined text, partly because you store the list in Amazon S3, not Macie. Common causes of errors are:

  • The S3 bucket or object is deleted.

  • The S3 bucket or object is renamed and the list's settings in Macie don't specify the new name.

  • The bucket's permissions settings are changed and Macie loses access to the bucket and the object.

  • The encryption settings for the bucket are changed and Macie can't decrypt the object.

  • The policy for the encryption key is changed and Macie loses access to the key. Macie can't decrypt the object.

Important

Because these errors affect your analysis results, we recommend that you check the status of your allow lists periodically. We recommend that you also do this if you change the permissions or encryption settings for an S3 bucket that stores an allow list, or you change the policy for an AWS Key Management Service (AWS KMS) key that's used to encrypt a list.

You can check the status of your allow lists by using the Amazon Macie console or the Amazon Macie API. For detailed information that can help you troubleshoot errors that occur, see Options and requirements for lists of predefined text.

Console

Follow these steps to check the status of your allow lists by using the Amazon Macie console.

To check the status of your allow lists

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, under Settings, choose Allow lists.

  3. On the Allow lists page, choose refresh ( The refresh button, which is a button that contains an empty, dark gray circle with an arrow ). Macie tests the settings for all of your allow lists and updates the Status field to indicate the current status of each list.

    If a list specifies a regular expression, its status is typically OK. This means that Macie can compile the expression. If a list specifies predefined text, its status can be any of the following values.

    OK

    Macie can retrieve and parse the contents of the list.

    Access denied

    Macie isn't allowed to access the S3 object that contains the list. Amazon S3 denied the request to retrieve the object. A list can also have this status if the object is encrypted with a customer managed AWS KMS key that Macie isn't allowed to use.

    To address this error, review the bucket policy and other permissions settings for the bucket and the object. Ensure that Macie is allowed to access and retrieve the object. If the object is encrypted with a customer managed AWS KMS key, also review the key policy and ensure that Macie is allowed to use the key.

    Error

    A transient or internal error occurred when Macie attempted to retrieve or parse the contents of the list. An allow list can also have this status if it's encrypted with an encryption key that Amazon S3 and Macie can't access or use.

    To address this error, wait a few minutes and then choose refresh ( The refresh button, which is a button that contains an empty, dark gray circle with an arrow ) again. If the status continues to be Error, check the encryption settings for the S3 object. Ensure that the object is encrypted with a key that Amazon S3 and Macie can access and use.

    Object is empty

    Macie can retrieve the list from Amazon S3 but the list doesn't contain any content.

    To address this error, download the object from Amazon S3 and ensure that it contains the correct entries. If the entries are correct, review the list's settings in Macie. Ensure that the specified bucket and object names are correct.

    Object not found

    The list doesn't exist in Amazon S3.

    To address this error, review the list's settings in Macie. Ensure that the specified bucket and object names are correct.

    Quota exceeded

    Macie can access the list in Amazon S3. However, the number of entries in the list or the storage size of the list exceeds the quota for an allow list.

    To address this error, break the list into multiple files. Ensure that each file contains fewer than 100,000 entries. Also ensure that the size of each file is less than 35 MB. Then, upload each file to Amazon S3. When you finish, configure allow list settings in Macie for each file. You can have as many as five lists of predefined text in each supported AWS Region.

    Throttled

    Amazon S3 throttled the request to retrieve the list.

    To address this error, wait a few minutes and then choose refresh ( The refresh button, which is a button that contains an empty, dark gray circle with an arrow ) again.

    User access denied

    Amazon S3 denied the request to retrieve the object. If the specified object exists, you're not allowed to access it or it's encrypted with an AWS KMS key that you're not allowed to use.

    To address this error, work with your AWS administrator to ensure that the list's settings specify the correct bucket and object names, and you have read access to the bucket and the object. If the object is encrypted, also ensure that it's encrypted with a key that you're allowed to use.

  4. To review the settings and status of a specific list, choose the list's name.

API

To check the status of an allow list programmatically, use the GetAllowList operation of the Amazon Macie API or, for the AWS CLI, run the get-allow-list command.

For the id parameter, specify the unique identifier for the allow list whose status you want to check. To get this identifier, you can use the ListAllowLists operation. The ListAllowLists operation retrieves information about all the allow lists for your account. If you're using the AWS CLI, you can run the list-allow-lists command to retrieve this information.

When you submit a GetAllowList request, Macie tests all the settings for the allow list. If the settings specify a regular expression (regex), Macie verifies that it can compile the expression. If the settings specify a list of predefined text, Macie verifies that it can retrieve and parse the list.

Macie then returns a GetAllowListResponse object that provides the details of the allow list. In the GetAllowListResponse object, the status object indicates the current status of the list: a status code (code) and, depending on the status code, a brief description of the list's status (description).

If the allow list specifies a regex, the status code is typically OK and there isn't an associated description. This means that Macie compiled the expression successfully.

If the allow list specifies predefined text, the status code varies depending on the test results:

  • If Macie retrieved and parsed the list successfully, the status code is OK and there isn't an associated description.

  • If an error prevented Macie from retrieving or parsing the list, the status code and description indicate the nature of the error that occurred.

For a list of possible status codes and a description of each one, see the AllowListStatus table in the Amazon Macie API Reference.

Changing allow lists

After you create an allow list, you can change most of the list's settings in Amazon Macie. For example, you can change the list's name and description, and you can add and edit the list's tags. The only setting that you can't change is a list's type. For example, if an existing allow list specifies a regular expression, you can't change its type to predefined text.

If an allow list specifies predefined text, you can also change the entries in the list. To do this, update the file that contains the entries, and then upload the new version of the file to Amazon S3. The next time Macie prepares to use the list, Macie retrieves the latest version of the file from Amazon S3. When you upload the new file, ensure that you store it in the same S3 bucket and object. Or, if you change the name of the bucket or object, ensure that you update the list's settings in Macie.

You can change an allow list's settings by using the Amazon Macie console or the Amazon Macie API.

Console

Follow these steps to change the settings for an allow list by using the Amazon Macie console.

To change an allow list

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, under Settings, choose Allow lists.

  3. On the Allow lists page, choose the name of the allow list that you want to change. The allow list page opens and displays the current settings for the list.

  4. To assign or edit tags for the allow list, choose Manage tags in the Tags section. Then change the tags as necessary. When you finish, choose Save.

  5. To change other settings for the allow list, choose Edit in the List settings section. Then change the settings that you want:

    • Name – Enter a new name for the list. The name can contain as many as 128 characters.

    • Description – Enter a new description of the list. The description can contain as many as 512 characters.

    • If the allow list specifies predefined text:

      • S3 bucket name – Enter the full name of the bucket that currently stores the list.

        In Amazon S3, you can find this value in the Name field of the bucket's properties. This value is case sensitive. In addition, don't use wildcard characters or partial values when you enter the name.

      • S3 object name – Enter the full name of the S3 object that currently stores the list.

        In Amazon S3, you can find this value in the Key field of the object's properties. If the name includes a path, be sure to include the complete path when you enter the name, for example allowlists/macie/mylist.txt. This value is case sensitive. In addition, don't use wildcard characters or partial values when you enter the name.

    • If the allow list specifies a regular expression (regex), enter a new regex in the Regular expression box. The regex can contain as many as 512 characters.

      After you enter the new regex, optionally test it. To do this, enter up to 1,000 characters in the Sample data box, and then choose Test. Macie evaluates the sample data and reports the number of occurrences of text that matches the regex. You can repeat this step as many times as you like to refine and optimize the regex before you save your changes.

    When you finish changing the settings, choose Save.

Macie tests the list's settings. For a list of predefined text, Macie also verifies that it can retrieve the list from Amazon S3 and parse the list's content. For a regex, Macie also verifies that it can compile the expression. If an error occurs, Macie displays a message that describes the error. For detailed information that can help you troubleshoot the error, see Allow list options and requirements. After you address any errors, you can save your changes.

API

To change an allow list programmatically, use the UpdateAllowList operation of the Amazon Macie API or, for the AWS CLI, run the update-allow-list command. In your request, use the supported parameters to specify a new value for each setting that you want to change. Note that the criteria, id, and name parameters are required. If you don't want to change the value for a required parameter, specify the current value for the parameter.

For example, the following command changes the name and description of an existing allow list. The example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

C:\> aws macie2 update-allow-list ^ --id km2d4y22hp6rv05example ^ --name my_allow_list-email ^ --criteria={\"regex\":\"[a-z]@example.com\"} ^ --description "Ignores all email addresses for the example.com domain"

Where:

  • km2d4y22hp6rv05example is the unique identifier for the list.

  • my_allow_list-email is the new name for the list.

  • [a-z]@example.com is the list's criteria, a regular expression.

  • Ignores all email addresses for the example.com domain is the new description for the list.

When you submit your request, Macie tests the list's settings. If the list specifies predefined text, this includes verifying that Macie can retrieve the list from Amazon S3 and parse the list's content. If the list specifies a regex, this includes verifying that Macie can compile the expression.

If an error occurs when Macie tests the settings, your request fails and Macie returns a message that describes the error. For detailed information that can help you troubleshoot the error, see Allow list options and requirements. If the request fails for another reason, Macie returns an HTTP 4xx or 500 response that indicates why the operation failed.

If your request succeeds, Macie updates the list's settings and you receive output similar to the following.

{ "arn": "arn:aws:macie2:us-west-2:123456789012:allow-list/km2d4y22hp6rv05example", "id": "km2d4y22hp6rv05example" }

Where arn is the Amazon Resource Name (ARN) of the allow list that was updated, and id is the unique identifier for the list.

Deleting allow lists

When you delete an allow list in Amazon Macie, you permanently delete all the list's settings. These settings can't be recovered after they're deleted. If the settings specify a list of predefined text that you store in Amazon S3, Macie doesn't delete the S3 object that contains the list. Only the settings in Macie are deleted.

If you configure sensitive data discovery jobs to use an allow list and you subsequently delete the list, the jobs will run as scheduled. However, your job results, both sensitive data findings and sensitive data discovery results, might report text that you previously specified in an allow list. Similarly, if you configure automated sensitive data discovery to use a list and you subsequently delete the list, daily analyses cycles will proceed. However, your sensitive data discovery statistics and other types of results might report text that you previously specified in an allow list.

Before you delete an allow list, we recommend that you review your job inventory to identify jobs that use the list and are scheduled to run in the future. In the inventory, the details panel indicates whether a job is configured to use any allow lists and, if so, which ones. In addition, check the automated sensitive data discovery settings for your account. You might determine that it's best to change a list instead of deleting it.

As an additional safeguard, Macie checks the settings for all of your jobs when you try to delete an allow list. If you configured jobs to use the list and any of those jobs have a status other than Complete or Cancelled, Macie doesn't delete the list unless you provide additional confirmation.

You can delete an allow list by using the Amazon Macie console or the Amazon Macie API.

Console

Follow these steps to delete an allow list by using the Amazon Macie console.

To delete an allow list

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, under Settings, choose Allow lists.

  3. On the Allow lists page, select the check box for the allow list that you want to delete.

  4. On the Actions menu, choose Delete.

  5. When prompted for confirmation, enter delete, and then choose Delete.

API

To delete an allow list programmatically, use the DeleteAllowList operation of the Amazon Macie API. For the id parameter, specify the unique identifier for the allow list to delete. You can get this identifier by using the ListAllowLists operation. The ListAllowLists operation retrieves information about all the allow lists for your account. If you're using the AWS CLI, you can run the list-allow-lists command to retrieve this information.

For the ignoreJobChecks parameter, specify whether to force deletion of the list, even if sensitive data discovery jobs are configured to use the list:

  • If you specify false, Macie checks the settings for all of your jobs that have a status other than COMPLETE or CANCELLED. If none of those jobs are configured to use the list, Macie deletes the list permanently. If any of those jobs are configured to use the list, Macie rejects your request and returns an HTTP 400 (ValidationException) error. The error message indicates the number of applicable jobs for up to 200 jobs.

  • If you specify true, Macie deletes the list permanently without checking the settings for any of your jobs.

To delete an allow list by using the AWS CLI, run the delete-allow-list command. For example:

C:\> aws macie2 delete-allow-list --id nkr81bmtu2542yyexample --ignore-job-checks false

Where nkr81bmtu2542yyexample is the unique identifier for the allow list to delete.

If your request succeeds, Macie returns an empty HTTP 200 response. Otherwise, Macie returns an HTTP 4xx or 500 response that indicates why the operation failed.

If the allow list specified predefined text, you can optionally delete the S3 object that contains the list. However, keeping this object can help ensure that you have an immutable history of sensitive data findings and sensitive data discovery results for data privacy and protection audits or investigations.