Creating and managing allow lists
In Amazon Macie, an allow list defines specific text or a text pattern that you want Macie to
ignore when it inspects Amazon Simple Storage Service (Amazon S3) objects for sensitive data. If text matches an entry or
pattern in an allow list, Macie doesn’t report the text in sensitive data findings, statistics,
or other types of results, even if the text matches the criteria of a managed data identifier or a custom data identifier.
You can create and manage the following types of allow lists in Macie.
- Predefined text
-
Use this type of list to specify words,
phrases, and other kinds of character sequences that aren’t sensitive, aren’t likely to
change, and don’t necessarily adhere to a common pattern. Examples are the names of public
representatives for your organization, specific phone numbers, and specific sample data that
your organization uses for testing. If you use this type of list, Macie ignores text that
exactly matches an entry in the list.
For this type of list, you create a line-delimited plaintext file that lists specific
text to ignore. You then store the file in an S3 bucket and configure settings for Macie
to access the list in the bucket. You can then create and configure sensitive data
discovery jobs to use the list, or add the list to the automated sensitive data discovery settings for your
account. When each job starts to run or the next automated discovery analysis cycle starts, Macie
retrieves the latest version of the list from Amazon S3. Macie then uses that version of the
list when it inspects S3 objects for sensitive data. If Macie finds text that exactly
matches an entry in the list, Macie doesn't report that occurrence of text as sensitive
data.
- Regular expression
-
Use this type of list to specify a
regular expression (regex) that defines a text pattern to
ignore. Examples are public phone numbers for your organization, email addresses for your
organization’s domain, and patterned sample data that your organization uses for testing. If
you use this type of list, Macie ignores text that completely matches the regex pattern
defined by the list.
For this type of list, you create a regex that defines a common pattern for text that
isn't sensitive but varies or is likely to change. Unlike a list of predefined text, you
create and store the regex and all other list settings in Macie. You can then create and
configure sensitive data discovery jobs to use the list, or add the list to the automated sensitive data discovery
settings for your account. When those jobs run or Macie performs automated discovery for your account,
Macie uses the latest version of the list's regex to analyze data. If Macie finds text
that completely matches the pattern defined by the list, Macie doesn't report that
occurrence of text as sensitive data.
For detailed requirements, recommendations, and examples of each type of list, see Allow list options and
requirements. You can create as
many as 10 allow lists for your account in each supported AWS Region, up to five allow lists
that specify predefined text and up to five allow lists that specify regular expressions. You
can create and use allow lists in all the AWS Regions where Macie is currently available
except the Asia Pacific (Osaka) Region.
To create and manage allow lists, you can use the Amazon Macie console or the Amazon Macie API.
The following topics explain how. For the API, the topics include examples of how to perform
these tasks by using the AWS Command Line Interface (AWS CLI). You can also
perform these tasks by using a current version of another AWS command line tool or an AWS
SDK, or by sending HTTPS requests directly to Macie. For information about AWS tools and SDKs,
see Tools to Build on AWS.
Creating allow lists
How you create an allow list in Amazon Macie depends on the type of list that you want to
create. An allow list can be a file that lists predefined text to ignore, or it can be a
regular expression (regex) that defines a text pattern to
ignore. Choose the section for the type of list that you want to create.
Before you create this type of allow list in Macie, take the following steps:
-
By using a text editor, create a line-delimited plaintext file that lists specific
text to ignore—for example, a .txt, .text, or .plain file. For more
information, see Syntax requirements.
-
Upload the file to an S3 general purpose bucket and note the name of the bucket
and the object. You'll need to enter these names when you configure the settings in
Macie.
-
Ensure that the settings for the S3 bucket and object allow you and Macie to
retrieve the list from the bucket. For more information, see Storage requirements.
-
If you encrypted the S3 object, ensure that it's encrypted with a key that you and
Macie are allowed to use. For more information, see Encryption/Decryption
requirements.
After you take these steps, you're ready to configure the list's settings in Macie.
You can configure the settings by using the Amazon Macie console or the Amazon Macie API.
- Console
-
Follow these steps to configure the settings for an allow list by using the
Amazon Macie console.
To configure allow list settings in Macie
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
In the navigation pane, under Settings, choose
Allow lists.
-
On the Allow lists page, choose
Create.
-
Under Select a list type, choose Predefined
text.
-
Under List settings, use the following options to enter
additional settings for the allow list:
-
For Name, enter a name for the list. The name can
contain as many as 128 characters.
-
For Description, optionally enter a brief
description of the list. The description can contain as many as 512
characters.
-
For S3 bucket name, enter the name of the bucket
that stores the list.
In Amazon S3, you can find this value in the Name field
of the bucket's properties. This value is case sensitive. In addition, don't
use wildcard characters or partial values when you enter the name.
-
For S3 object name, enter the name of the S3 object
that stores the list.
In Amazon S3, you can find this value in the Key field
of the object's properties. If the name includes a path, be sure to include
the complete path when you enter the name, for example
allowlists/macie/mylist.txt
. This value is case
sensitive. In addition, don't use wildcard characters or partial values when
you enter the name.
-
(Optional) Under Tags, choose Add
tag, and then enter as many as 50 tags to assign to the allow
list.
A tag is a label that you define and assign to certain types of AWS resources. Each tag consists of a required tag key and an optional tag value. Tags can help you identify, categorize, and manage resources in different ways, such as by purpose, owner, environment, or other criteria. To learn more, see Tagging Macie resources.
-
When you finish, choose Create.
Macie tests the list's settings. Macie also verifies that it can retrieve the
list from Amazon S3 and parse the list's content. If an error occurs, Macie displays a
message that describes the error. For detailed information that can help you
troubleshoot the error, see Options and requirements for lists of
predefined text. After you address any errors, you
can save the list's settings.
- API
-
To configure allow list settings programmatically, use the CreateAllowList operation of the Amazon Macie API and specify the
appropriate values for the required parameters.
For the criteria
parameter, use an s3WordsList
object
to specify the name of the S3 bucket (bucketName
) and the name of the
S3 object (objectKey
) that stores the list. To determine the bucket
name, refer to the Name
field in Amazon S3. To determine the object name,
refer to the Key
field in Amazon S3. Note that these values are case
sensitive. In addition, don't use wildcard characters or partial values when you
specify these names.
To configure the settings by using the AWS CLI, run the create-allow-list command and specify the appropriate values for the
required parameters. The following examples show how to configure the settings for
an allow list that's stored in an S3 bucket named
amzn-s3-demo-bucket
. The name of the S3 object that
stores the list is allowlists/macie/mylist.txt
.
This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws macie2 create-allow-list \
--criteria '{"s3WordsList":{"bucketName":"amzn-s3-demo-bucket
","objectKey":"allowlists/macie/mylist.txt
"}}' \
--name my_allow_list
\
--description "Lists public phone numbers and names for Example Corp.
"
This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.
C:\>
aws macie2 create-allow-list ^
--criteria={\"s3WordsList\":{\"bucketName\":\"amzn-s3-demo-bucket
\",\"objectKey\":\"allowlists/macie/mylist.txt
\"}} ^
--name my_allow_list
^
--description "Lists public phone numbers and names for Example Corp.
"
When you submit your request, Macie tests the list's settings. Macie also
verifies that it can retrieve the list from Amazon S3 and parse the list's content. If an
error occurs, your request fails and Macie returns a message that describes the
error. For detailed information that can help you troubleshoot the error, see Options and requirements for lists of
predefined text.
If Macie can retrieve and parse the list, your request succeeds and you receive
output similar to the following.
{
"arn": "arn:aws:macie2:us-west-2:123456789012:allow-list/nkr81bmtu2542yyexample",
"id": "nkr81bmtu2542yyexample"
}
Where arn
is the Amazon Resource Name (ARN) of the allow list that
was created, and id
is the unique identifier for the list.
After you save the list's settings, you can create and configure sensitive data discovery jobs to use the list, or add the list to your automated sensitive data discovery settings.
Each time those jobs start to run or an automated discovery analysis cycle starts, Macie retrieves the
latest version of the list from Amazon S3. Macie then uses that version of the list when it
analyzes data.
When you create an allow list that specifies a regular expression (regex), you define the regex and all other list settings
directly in Macie. Macie supports a subset of the regex pattern syntax provided by the
Perl Compatible Regular Expressions (PCRE)
library. For more information, see Syntax support and recommendations.
You can create this type of list by using the Amazon Macie console or the Amazon Macie API.
- Console
-
Follow these steps to create an allow list by using the Amazon Macie
console.
To create an allow list
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
In the navigation pane, under Settings, choose
Allow lists.
-
On the Allow lists page, choose
Create.
-
Under Select a list type, choose Regular
expression.
-
Under List settings, use the following options to enter
additional settings for the allow list:
-
For Name, enter a name for the list. The name can
contain as many as 128 characters.
-
For Description, optionally enter a brief
description of the list. The description can contain as many as 512
characters.
-
For Regular expression, enter the regex that
defines the text pattern to ignore. The regex can contain as many as 512
characters.
-
(Optional) For Evaluate, enter up to 1,000 characters
in the Sample data box, and then choose
Test to test the regex. Macie evaluates the sample data
and reports the number of occurrences of text that match the regex. You can
repeat this step as many times as you like to refine and optimize the
regex.
We recommend that you test and refine the regex with multiple sets of
sample data. If you create a regex that’s too general, Macie might ignore
occurrences of text that you consider sensitive. If a regex is too specific,
Macie might not ignore occurrences of text that you don’t consider
sensitive.
-
(Optional) Under Tags, choose Add
tag, and then enter as many as 50 tags to assign to the allow
list.
A tag is a label that you define and assign to certain types of AWS resources. Each tag consists of a required tag key and an optional tag value. Tags can help you identify, categorize, and manage resources in different ways, such as by purpose, owner, environment, or other criteria. To learn more, see Tagging Macie resources.
-
When you finish, choose Create.
Macie tests the list's settings. Macie also tests the regex to verify that it
can compile the expression. If an error occurs, Macie displays a message that
describes the error. For detailed information that can help you troubleshoot the
error, see Options and requirements for regular
expressions. After you address any errors, you can
save the allow list.
- API
-
Before you create this type of allow list in Macie, we recommend that you test
and refine the regular expression with multiple sets of sample data. If you create a
regex that’s too general, Macie might ignore occurrences of text that you consider
sensitive. If a regex is too specific, Macie might not ignore occurrences of text
that you don’t consider sensitive.
To test an expression with Macie, you can use the TestCustomDataIdentifier operation of the Amazon Macie API or, for the
AWS CLI, run the test-custom-data-identifier command. Macie uses the same underlying code
to compile expressions for allow lists and custom data identifiers. If you
test an expression in this way, be sure to specify values only for the
regex
and sampleText
parameters. Otherwise, you'll
receive inaccurate results.
When you're ready to create this type of allow list, use the CreateAllowList operation of the Amazon Macie API and specify the
appropriate values for the required parameters. For the criteria
parameter, use the regex
field to specify the regular expression that
defines the text pattern to ignore. The expression can contain as many as 512
characters.
To create this type of list by using the AWS CLI, run the create-allow-list command and specify the appropriate values for the
required parameters. The following examples create an allow list named
my_allow_list
. The regex is designed to ignore all
email addresses that a custom data identifier might otherwise detect for the
example.com
domain.
This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws macie2 create-allow-list \
--criteria '{"regex":"[a-z]@example.com
"}' \
--name my_allow_list
\
--description "Ignores all email addresses for Example Corp.
"
This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.
C:\>
aws macie2 create-allow-list ^
--criteria={\"regex\":\"[a-z]@example.com
\"} ^
--name my_allow_list
^
--description "Ignores all email addresses for Example Corp.
"
When you submit your request, Macie tests the list's settings. Macie also tests
the regex to verify that it can compile the expression. If an error occurs, the
request fails and Macie returns a message that describes the error. For detailed
information that can help you troubleshoot the error, see Options and requirements for regular
expressions.
If Macie can compile the expression, the request succeeds and you receive output
similar to the following:
{
"arn": "arn:aws:macie2:us-west-2:123456789012:allow-list/km2d4y22hp6rv05example",
"id": "km2d4y22hp6rv05example"
}
Where arn
is the Amazon Resource Name (ARN) of the allow list that
was created, and id
is the unique identifier for the list.
After you save the list, you can create and
configure sensitive data discovery jobs to use it, or add it to your automated sensitive data discovery settings. When
those jobs run or Macie performs automated discovery for your account, Macie uses the latest version of
the list's regex to analyze data.
Checking the status of allow lists
It's important to check the status of your allow lists periodically. Otherwise, errors
might cause Amazon Macie to produce unexpected analysis results, such as sensitive data findings
for text that you specified in an allow list.
If you configure a sensitive data discovery job to use an allow list and Macie can't
access or use the list when the job starts to run, the job continues to run. However, Macie
doesn't use the list when it analyzes S3 objects. Similarly, if an analysis cycle starts for
automated sensitive data discovery and Macie can't access or use a specified allow list, the analysis continues but
Macie doesn't use the list.
Errors are unlikely to occur for an allow list that specifies a regular expression
(regex). This is partly because Macie automatically tests
the regex when you create or update the list's settings. In addition, you store the regex and
all other list settings in Macie.
However, errors can occur for an allow list that specifies predefined text, partly because
you store the list in Amazon S3 instead of Macie. Common causes of errors are:
-
The S3 bucket or object is deleted.
-
The S3 bucket or object is renamed and the list's settings in Macie don't specify the
new name.
-
The S3 bucket's permissions settings are changed and Macie loses access to the bucket
and the object.
-
The encryption settings for the S3 bucket are changed and Macie can't decrypt the
object that stores the list.
-
The policy for the encryption key is changed and Macie loses access to the key. Macie
can't decrypt the S3 object that stores the list.
Because these errors affect your analyses' results, we recommend that you check the
status of your allow lists periodically. We recommend that you also do this if you change
the permissions or encryption settings for an S3 bucket that stores an allow list, or you
change the policy for an AWS Key Management Service (AWS KMS) key that's used to encrypt a list.
You can check the status of your allow lists by using the Amazon Macie console or the
Amazon Macie API. For detailed information that can help you troubleshoot errors that occur, see
Options and requirements for lists of
predefined text.
- Console
-
Follow these steps to check the status of your allow lists by using the Amazon Macie
console.
To check the status of your allow lists
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
In the navigation pane, under Settings, choose
Allow lists.
-
On the Allow lists page, choose refresh (
).
Macie tests the settings for all of your allow lists and updates the
Status field to indicate the current status of each
list.
If a list specifies a regular expression, its status is typically
OK. This means that Macie can compile the expression. If a
list specifies predefined text, its status can be any of the following
values.
- OK
-
Macie can retrieve and parse the contents of the list.
- Access denied
-
Macie isn't allowed to access the S3 object that stores the list. Amazon S3
denied the request to retrieve the object. A list can also have this status if
the object is encrypted with a customer managed AWS KMS key that Macie
isn't allowed to use.
To address this error, review the bucket policy and other permissions
settings for the bucket and the object. Ensure that Macie is allowed to access
and retrieve the object. If the object is encrypted with a customer managed
AWS KMS key, also review the key policy and ensure that Macie is allowed to use
the key.
- Error
-
A transient or internal error occurred when Macie attempted to retrieve or
parse the contents of the list. An allow list can also have this status if
it's encrypted with an encryption key that Amazon S3 and Macie can't access or
use.
To address this error, wait a few minutes and then choose refresh
(
) again. If the status continues to be Error, check the encryption settings for the S3 object. Ensure
that the object is encrypted with a key that Amazon S3 and Macie can access and
use.
- Object is empty
-
Macie can retrieve the list from Amazon S3 but the list doesn't contain any
content.
To address this error, download the object from Amazon S3 and ensure that it
contains the correct entries. If the entries are correct, review the list's
settings in Macie. Ensure that the specified bucket and object names are
correct.
- Object not found
-
The list doesn't exist in Amazon S3.
To address this error, review the list's settings in Macie. Ensure that
the specified bucket and object names are correct.
- Quota exceeded
-
Macie can access the list in Amazon S3. However, the number of entries in the
list or the storage size of the list exceeds the quota for an allow
list.
To address this error, break the list into multiple files. Ensure that
each file contains fewer than 100,000 entries. Also ensure that the size of
each file is less than 35 MB. Then, upload each file to Amazon S3. When you finish,
configure allow list settings in Macie for each file. You can have as many as
five lists of predefined text in each supported AWS Region.
- Throttled
-
Amazon S3 throttled the request to retrieve the list.
To address this error, wait a few minutes and then choose refresh
(
) again.
- User access denied
-
Amazon S3 denied the request to retrieve the object. If the specified object
exists, you're not allowed to access it or it's encrypted with an AWS KMS key
that you're not allowed to use.
To address this error, work with your AWS administrator to ensure that
the list's settings specify the correct bucket and object names, and you have
read access to the bucket and the object. If the object is encrypted, also
ensure that it's encrypted with a key that you're allowed to use.
-
To review the settings and status of a specific list, choose the list's
name.
- API
-
To check the status of an allow list programmatically, use the GetAllowList operation of the Amazon Macie API or, for the AWS CLI, run the get-allow-list command.
For the id
parameter, specify the unique identifier for the allow list
whose status you want to check. To get this identifier, you can use the ListAllowLists operation. The ListAllowLists operation
retrieves information about all the allow lists for your account. If you're using the
AWS CLI, you can run the list-allow-lists
command to retrieve this information.
When you submit a GetAllowList request, Macie tests all the
settings for the allow list. If the settings specify a regular expression (regex), Macie verifies that it can compile the expression. If
the settings specify a list of predefined text, Macie verifies that it can retrieve and
parse the list.
Macie then returns a GetAllowListResponse
object that provides the
details of the allow list. In the GetAllowListResponse
object, the
status
object indicates the current status of the list: a status code
(code
) and, depending on the status code, a brief description of the
list's status (description
).
If the allow list specifies a regex, the status code is typically OK
and there isn't an associated description. This means that Macie compiled the expression
successfully.
If the allow list specifies predefined text, the status code varies depending on the
test results:
-
If Macie retrieved and parsed the list successfully, the status code is
OK
and there isn't an associated description.
-
If an error prevented Macie from retrieving or parsing the list, the status code
and description indicate the nature of the error that occurred.
For a list of possible status codes and a description of each one, see AllowListStatus in the Amazon Macie API
Reference.
Changing allow lists
After you create an allow list, you can change most of the list's settings in Amazon Macie.
For example, you can change the list's name and description, and you can add and edit the
list's tags. The only setting that you can't change is a list's type. For example, if an
existing allow list specifies a regular expression, you can't change its type to predefined
text.
If an allow list specifies predefined text, you can also change the entries in the list.
To do this, update the file that contains the entries, and then upload the new version of the
file to Amazon S3. The next time Macie prepares to use the list, Macie retrieves the latest version
of the file from Amazon S3. When you upload the new file, ensure that you store it in the same S3
bucket and object. Or, if you change the name of the bucket or object, ensure that you update
the list's settings in Macie.
You can change an allow list's settings by using the Amazon Macie console or the Amazon Macie
API.
- Console
-
Follow these steps to change the settings for an allow list by using the Amazon Macie
console.
To change an allow list
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
In the navigation pane, under Settings, choose
Allow lists.
-
On the Allow lists page, choose the name of the allow list
that you want to change. The allow list page opens and displays the current settings
for the list.
To assign or edit tags for the allow list, choose Manage tags in the
Tags section. Then change the tags as necessary. When you
finish, choose Save.
-
To change other settings for the allow list, choose Edit in
the List settings section. Then change the settings that you
want:
-
Name – Enter a new name for the list. The name
can contain as many as 128 characters.
-
Description – Enter a new description of the
list. The description can contain as many as 512 characters.
-
If the allow list specifies predefined text:
-
S3 bucket name – Enter the name of the
bucket that currently stores the list.
In Amazon S3, you can find this value in the Name field
of the bucket's properties. This value is case sensitive. In addition, don't
use wildcard characters or partial values when you enter the name.
-
S3 object name – Enter the name of the S3
object that currently stores the list.
In Amazon S3, you can find this value in the Key field
of the object's properties. If the name includes a path, be sure to include
the complete path when you enter the name, for example
allowlists/macie/mylist.txt
. This value is case
sensitive. In addition, don't use wildcard characters or partial values when
you enter the name.
-
If the allow list specifies a regular expression (regex), enter a new regex in the Regular
expression box. The regex can contain as many as 512
characters.
After you enter the new regex, optionally test it. To do this, enter up to
1,000 characters in the Sample data box, and then choose
Test. Macie evaluates the sample data and reports the
number of occurrences of text that match the regex. You can repeat this step
as many times as you like to refine and optimize the regex before you save your
changes.
When you finish changing the settings, choose Save.
Macie tests the list's settings. For a list of predefined text, Macie also verifies
that it can retrieve the list from Amazon S3 and parse the list's content. For a regex, Macie
also verifies that it can compile the expression. If an error occurs, Macie displays a
message that describes the error. For detailed information that can help you
troubleshoot the error, see Allow list options and
requirements. After you address any errors, you can
save your changes.
- API
-
To change an allow list programmatically, use the UpdateAllowList operation of the Amazon Macie API or, for the AWS CLI, run the
update-allow-list command. In your request, use the supported parameters to
specify a new value for each setting that you want to change. Note that the
criteria
, id
, and name
parameters are required.
If you don't want to change the value for a required parameter, specify the current
value for the parameter.
For example, the following command changes the name and description of an existing
allow list. The example is formatted for Microsoft Windows and it uses the caret (^)
line-continuation character to improve readability.
C:\>
aws macie2 update-allow-list ^
--id km2d4y22hp6rv05example
^
--name my_allow_list-email
^
--criteria={\"regex\":\"[a-z]@example.com
\"} ^
--description "Ignores all email addresses for the example.com domain
"
Where:
-
km2d4y22hp6rv05example
is the unique identifier for
the list.
-
my_allow_list-email
is the new name for the
list.
-
[a-z]@example.com
is the list's criteria, a regular
expression.
-
Ignores all email addresses for the example.com
domain
is the new description for the list.
When you submit your request, Macie tests the list's settings. If the list specifies
predefined text, this includes verifying that Macie can retrieve the list from Amazon S3 and
parse the list's content. If the list specifies a regex, this includes verifying that
Macie can compile the expression.
If an error occurs when Macie tests the settings, your request fails and Macie
returns a message that describes the error. For detailed information that can help you
troubleshoot the error, see Allow list options and
requirements. If the request fails for another reason,
Macie returns an HTTP 4xx or 500 response that
indicates why the operation failed.
If your request succeeds, Macie updates the list's settings and you receive output
similar to the following.
{
"arn": "arn:aws:macie2:us-west-2:123456789012:allow-list/km2d4y22hp6rv05example",
"id": "km2d4y22hp6rv05example"
}
Where arn
is the Amazon Resource Name (ARN) of the allow list that was
updated, and id
is the unique identifier for the list.
Deleting allow lists
When you delete an allow list in Amazon Macie, you permanently delete all the list's
settings. These settings can't be recovered after they're deleted. If the settings specify a
list of predefined text that you store in Amazon S3, Macie doesn't delete the S3 object that stores
the list. Only the settings in Macie are deleted.
If you configure sensitive data discovery jobs to use an allow list and you subsequently
delete the list, the jobs will run as scheduled. However, your job results, both sensitive
data findings and sensitive data discovery results, might report text that you previously
specified in an allow list. Similarly, if you configure automated sensitive data discovery to use a list and you
subsequently delete the list, daily analyses cycles will proceed. However, sensitive data
findings, statistics, or other types of results might report text that you previously
specified in an allow list.
Before you delete an allow list, we recommend that you review your job inventory to identify jobs that
use the list and are scheduled to run in the future. In the inventory, the details panel
indicates whether a job is configured to use any allow lists and, if so, which ones. In
addition, check your automated sensitive data discovery settings.
You might determine that it's best to change a list instead of deleting it.
As an additional safeguard, Macie checks the settings for all of your jobs when you try to
delete an allow list. If you configured jobs to use the list and any of those jobs have a
status other than Complete or Cancelled, Macie
doesn't delete the list unless you provide additional confirmation.
You can delete an allow list by using the Amazon Macie console or the Amazon Macie API.
- Console
-
Follow these steps to delete an allow list by using the Amazon Macie console.
To delete an allow list
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
In the navigation pane, under Settings, choose
Allow lists.
-
On the Allow lists page, select the check box for the allow
list that you want to delete.
-
On the Actions menu, choose
Delete.
-
When prompted for confirmation, enter delete
, and then
choose Delete.
- API
-
To delete an allow list programmatically, use the DeleteAllowList operation of the Amazon Macie API. For the id
parameter, specify the unique identifier for the allow list to delete. You can get this
identifier by using the ListAllowLists
operation. The ListAllowLists operation retrieves information about
all the allow lists for your account. If you're using the AWS CLI, you can run the list-allow-lists command to retrieve this information.
For the ignoreJobChecks
parameter, specify whether to force deletion of
the list, even if sensitive data discovery jobs are configured to use the list:
-
If you specify false
, Macie checks the settings for all of your
jobs that have a status other than COMPLETE
or CANCELLED
.
If none of those jobs are configured to use the list, Macie deletes the list
permanently. If any of those jobs are configured to use the list, Macie rejects your
request and returns an HTTP 400 (ValidationException
) error. The error
message indicates the number of applicable jobs for up to 200 jobs.
-
If you specify true
, Macie deletes the list permanently without
checking the settings for any of your jobs.
To delete an allow list by using the AWS CLI, run the delete-allow-list
command. For example:
C:\>
aws macie2 delete-allow-list --id nkr81bmtu2542yyexample
--ignore-job-checks false
Where nkr81bmtu2542yyexample
is the unique identifier for
the allow list to delete.
If your request succeeds, Macie returns an empty HTTP 200 response. Otherwise, Macie
returns an HTTP 4xx or 500 response that indicates
why the operation failed.
If the allow list specified predefined text, you can optionally delete the S3 object that
stores the list. However, keeping this object can help ensure that you have an immutable
history of sensitive data findings and discovery results for data privacy and protection
audits or investigations.