Fields for filtering Macie findings - Amazon Macie

Fields for filtering Macie findings

To help you analyze findings more efficiently, the Amazon Macie console and the Amazon Macie API provide access to several sets of fields for filtering findings:

  • Common fields – These fields store data that applies to any type of finding. They correlate to common attributes of findings, such as severity, finding type, and finding ID.

  • Affected resource fields – These fields store data about the resources that a finding applies to, such as the name, tags, and encryption settings for an affected S3 bucket or object.

  • Fields for policy findings – These fields store data that's specific to policy findings, such as the action that produced a finding, and the entity that performed the action.

  • Fields for sensitive data findings – These fields store data that's specific to sensitive data findings, such as the category and types of sensitive data that Macie found in an affected S3 object.

A filter can use a combination of fields from any of the preceding sets. The topics in this section list and describe individual fields in each set. For additional details about these fields, including any relationships between the fields, see Findings in the Amazon Macie API Reference.

Common fields

The following table lists and describes fields that you can use to filter findings based on common finding attributes. These fields store data that applies to any type of finding.

In the table, the Field column indicates the name of the field on the Amazon Macie console. The JSON field column uses dot notation to indicate the name of the field in JSON representations of findings and the Amazon Macie API. The Description column provides a brief description of the data that the field stores, and indicates any requirements for filter values. The table is sorted in ascending alphabetical order by field, and then by JSON field.

Field JSON field Description

Account ID*

accountId

The unique identifier for the AWS account that the finding applies to. This is typically the account that owns the affected resource.

archived

A Boolean value that specifies whether the finding was suppressed (automatically archived) by a suppression rule.

To use this field in a filter on the console, choose an option on the Finding status menu: Archived (suppressed only), Current (unsuppressed only), or All (both suppressed and unsuppressed).

Category

category

The category of the finding.

The console provides a list of values to choose from when you add this field to a filter. In the API, valid values are: CLASSIFICATION, for a sensitive data finding; and, POLICY, for a policy finding.

count

The total number of occurrences of the finding. For sensitive data findings, this value is always 1. All sensitive data findings are considered unique.

This field isn't available as a filter option on the console. With the API, you can use this field to define a numeric range for a filter.

Created at

createdAt

The date and time when Macie created the finding.

You can use this field to define a time range for a filter.

Finding ID*

id

The unique identifier for the finding. This is a random string that Macie generates and assigns to a finding when it creates the finding.

Finding type*

type

The type of the finding—for example, SensitiveData:S3Object/Personal or Policy:IAMUser/S3BucketPublic.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values in the API, see FindingType in the Amazon Macie API Reference.

Region

region

The AWS Region that Macie created the finding in—for example, us-east-1 or ca-central-1.

Sample

sample

A Boolean value that specifies whether the finding is a sample finding. A sample finding is a finding that uses example data and placeholder values to demonstrate what a finding might contain.

The console provides a list of values to choose from when you add this field to a filter.

Severity

severity.description

The qualitative representation of the finding's severity.

The console provides a list of values to choose from when you add this field to a filter. In the API, valid values are: Low, Medium, and High.

Updated at

updatedAt

The date and time when the finding was last updated. For sensitive data findings, this value is the same as the value for the Created at field. All sensitive data findings are considered new (unique).

You can use this field to define a time range for a filter.

* To specify multiple values for this field on the console, add a condition that uses the field and specifies a distinct value for the filter, and then repeat that step for each additional value. To do this with the API, use an array that lists the values to use for the filter.

Affected resource fields

The following tables list and describe the fields that you can use to filter findings based on the type of resource that a finding applies to: an S3 bucket or an S3 object.

S3 bucket

This table lists and describes fields that you can use to filter findings based on characteristics of the S3 bucket that a finding applies to.

In the table, the Field column indicates the name of the field on the Amazon Macie console. The JSON field column uses dot notation to indicate the name of the field in JSON representations of findings and the Amazon Macie API. (Longer JSON field names use the newline character sequence (\n) to improve readability.) The Description column provides a brief description of the data that the field stores, and indicates any requirements for filter values. The table is sorted in ascending alphabetical order by field, and then by JSON field.

Field JSON field Description

resourcesAffected.s3Bucket.createdAt

The date and time when the affected bucket was created, or changes such as edits to the bucket's policy were most recently made to the affected bucket.

This field isn't available as a filter option on the console. With the API, you can use this field to define a time range for a filter.

S3 bucket default encryption

resourcesAffected.s3Bucket.defaultServerSideEncryption.encryptionType

The server-side encryption algorithm that's used by default to encrypt objects that are added to the affected bucket.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values for the API, see EncryptionType in the Amazon Macie API Reference.

S3 bucket encryption KMS key id*

resourcesAffected.s3Bucket.defaultServerSideEncryption.kmsMasterKeyId

The Amazon Resource Name (ARN) or unique identifier (key ID) for the AWS KMS key that's used by default to encrypt objects that are added to the affected bucket.

S3 bucket encryption required by bucket policy

resourcesAffected.s3Bucket.allowsUnencryptedObjectUploads

Specifies whether the bucket policy for the affected bucket requires server-side encryption of objects when objects are added to the bucket.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values for the API, see S3Bucket in the Amazon Macie API Reference.

S3 bucket name*

resourcesAffected.s3Bucket.name

The full name of the affected bucket.

S3 bucket owner display name*

resourcesAffected.s3Bucket.owner.displayName

The display name of the AWS user who owns the affected bucket.

S3 bucket public access permission

resourcesAffected.s3Bucket.publicAccess.effectivePermission

Specifies whether the affected bucket is publicly accessible based on a combination of permissions settings that apply to the bucket.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values for the API, see BucketPublicAccess in the Amazon Macie API Reference.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

accountLevelPermissions.blockPublicAccess.blockPublicAcls

A Boolean value that specifies whether Amazon S3 blocks public access control lists (ACLs) for the affected bucket and objects in the bucket. This is an account-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

accountLevelPermissions.blockPublicAccess.blockPublicPolicy

A Boolean value that specifies whether Amazon S3 blocks public bucket policies for the affected bucket. This is an account-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

accountLevelPermissions.blockPublicAccess.ignorePublicAcls

A Boolean value that specifies whether Amazon S3 ignores public ACLs for the affected bucket and objects in the bucket. This is an account-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

accountLevelPermissions.blockPublicAccess.restrictPublicBuckets

A Boolean value that specifies whether Amazon S3 restricts public bucket policies for the affected bucket. This is an account-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.accessControlList.allowsPublicReadAccess

A Boolean value that specifies whether the bucket-level ACL for the affected bucket grants the general public with read access permissions for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.accessControlList.allowsPublicWriteAccess

A Boolean value that specifies whether the bucket-level ACL for the affected bucket grants the general public with write access permissions for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.blockPublicAccess.blockPublicAcls

A Boolean value that specifies whether Amazon S3 blocks public ACLs for the affected bucket and objects in the bucket. This is a bucket-level, block public access setting for a bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.blockPublicAccess.blockPublicPolicy

A Boolean value that specifies whether Amazon S3 blocks public bucket policies for the affected bucket. This is a bucket-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.blockPublicAccess.ignorePublicAcls

A Boolean value that specifies whether Amazon S3 ignores public ACLs for the affected bucket and objects in the bucket. This is a bucket-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.blockPublicAccess.restrictPublicBuckets

A Boolean value that specifies whether Amazon S3 restricts public bucket policies for the affected bucket. This is a bucket-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.bucketPolicy.allowsPublicReadAccess

A Boolean value that specifies whether the affected bucket's policy allows the general public to have read access to the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.bucketPolicy.allowsPublicWriteAccess

A Boolean value that specifies whether the affected bucket's policy allows the general public to have write access to the bucket.

This field isn't available as a filter option on the console.

S3 bucket tag key*

resourcesAffected.s3Bucket.tags.key

A tag key that's associated with the affected bucket.

S3 bucket tag value*

resourcesAffected.s3Bucket.tags.value

A tag value that's associated with the affected bucket.

* To specify multiple values for this field on the console, add a condition that uses the field and specifies a distinct value for the filter, and then repeat that step for each additional value. To do this with the API, use an array that lists the values to use for the filter.

S3 object

This table lists and describes fields that you can use to filter findings based on characteristics of the S3 object that a finding applies to.

In the table, the Field column indicates the name of the field on the Amazon Macie console. The JSON field column uses dot notation to indicate the name of the field in JSON representations of findings and the Amazon Macie API. The Description column provides a brief description of the data that the field stores, and indicates any requirements for filter values. The table is sorted in ascending alphabetical order by field, and then by JSON field.

Field JSON field Description

S3 object encryption KMS key id*

resourcesAffected.s3Object.serverSideEncryption.kmsMasterKeyId

The Amazon Resource Name (ARN) or unique identifier (key ID) for the AWS KMS key that was used to encrypt the affected object.

S3 object encryption type

resourcesAffected.s3Object.serverSideEncryption.encryptionType

The server-side encryption algorithm that was used to encrypt the affected object.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values for the API, see EncryptionType in the Amazon Macie API Reference.

resourcesAffected.s3Object.extension

The file name extension of the affected object. For objects that don't have a file name extension, specify "" as the value for the filter.

This field isn't available as a filter option on the console.

resourcesAffected.s3Object.lastModified

The date and time when the affected object was created or last changed, whichever is latest.

This field isn't available as a filter option on the console. With the API, you can use this field to define a time range for a filter.

S3 object key*

resourcesAffected.s3Object.key

The full name (key) of the affected object, including the object's prefix if applicable.

resourcesAffected.s3Object.path

The full path to the affected object, including the name of the affected bucket and the object's name (key).

This field isn't available as a filter option on the console.

S3 object public access

resourcesAffected.s3Object.publicAccess

A Boolean value that specifies whether the affected object is publicly accessible based on a combination of permission settings that apply to the object.

The console provides a list of values to choose from when you add this field to a filter.

S3 object tag key*

resourcesAffected.s3Object.tags.key

A tag key that's associated with the affected object.

S3 object tag value*

resourcesAffected.s3Object.tags.value

A tag value that's associated with the affected object.

* To specify multiple values for this field on the console, add a condition that uses the field and specifies a distinct value for the filter, and then repeat that step for each additional value. To do this with the API, use an array that lists the values to use for the filter.

Fields for policy findings

The following table lists and describes fields that you can use to filter policy findings. These fields store data that's specific to policy findings.

In the table, the Field column indicates the name of the field on the Amazon Macie console. The JSON field column uses dot notation to indicate the name of the field in JSON representations of findings and the Amazon Macie API. (Longer JSON field names use the newline character sequence (\n) to improve readability.) The Description column provides a brief description of the data that the field stores, and indicates any requirements for filter values. The table is sorted in ascending alphabetical order by field, and then by JSON field.

Field JSON field Description

Action type

policyDetails.action.actionType

The type of action that produced the finding. The only valid value for this field is AWS_API_CALL.

API call name*

policyDetails.action.apiCallDetails.api

The name of the operation that was invoked most recently and produced the finding—for example, PutBucketPublicAccessBlock.

API service name*

policyDetails.action.apiCallDetails.apiServiceName

The URL of the AWS service that provides the operation that was invoked and produced the finding—for example, s3.amazonaws.com.

policyDetails.action.apiCallDetails.firstSeen

The first date and time when any operation was invoked and produced the finding.

This field isn't available as a filter option on the console. With the API, you can use this field to define a time range for a filter.

policyDetails.action.apiCallDetails.lastSeen

The most recent date and time when the specified operation (API call name or api) was invoked and produced the finding.

This field isn't available as a filter option on the console. With the API, you can use this field to define a time range for a filter.

policyDetails.actor.domainDetails.domainName

The domain name of the device that was used to perform the action.

This field isn't available as a filter option on the console.

IP city*

policyDetails.actor.ipAddressDetails.ipCity.name

The name of the originating city for the IP address of the device that was used to perform the action.

IP country*

policyDetails.actor.ipAddressDetails.ipCountry.name

The name of the originating country for the IP address of the device that was used to perform the action—for example, United States.

policyDetails.actor.ipAddressDetails.ipOwner.asn

The Autonomous System Number (ASN) for the autonomous system that included the IP address of the device that was used to perform the action.

This field isn't available as a filter option on the console.

IP owner ASN org*

policyDetails.actor.ipAddressDetails.ipOwner.asnOrg

The organization identifier that's associated with the ASN for the autonomous system that included the IP address of the device that was used to perform the action.

IP owner ISP*

policyDetails.actor.ipAddressDetails.ipOwner.isp

The name of the internet service provider (ISP) that owned the IP address of the device that was used to perform the action.

IP V4 address*

policyDetails.actor.ipAddressDetails.ipAddressV4

The Internet Protocol version 4 (IPv4) address of the device that was used to perform the action.

policyDetails.actor.userIdentity.assumedRole.accessKeyId

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the AWS access key ID that identifies the credentials.

This field isn't available as a filter option on the console.

User identity assumed role account id*

policyDetails.actor.userIdentity.assumedRole.accountId

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the unique identifier for the AWS account that owns the entity that was used to get the credentials.

User identity assumed role principal id*

policyDetails.actor.userIdentity.assumedRole.principalId

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the unique identifier for the entity that was used to get the credentials.

User identity assumed role session ARN*

policyDetails.actor.userIdentity.assumedRole.arn

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the Amazon Resource Name (ARN) of the source account, IAM user, or role that was used to get the credentials.

policyDetails.actor.userIdentity.assumedRole.sessionContext.\n

sessionIssuer.type

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the source of the temporary security credentials— for example, Root, IAMUser, or Role.

This field isn't available as a filter option on the console.

policyDetails.actor.userIdentity.assumedRole.sessionContext.\n

sessionIssuer.userName

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the name or alias of the user or role that issued the session. Note that this value is null if the credentials were obtained from a root account that doesn't have an alias.

This field isn't available as a filter option on the console.

User identity AWS account account id*

policyDetails.actor.userIdentity.awsAccount.accountId

For an action performed using the credentials for another AWS account, the unique identifier for the account.
User identity AWS account principal id*

policyDetails.actor.userIdentity.awsAccount.principalId

For an action performed using the credentials for another AWS account, the unique identifier for the entity that performed the action.

User identity AWS service invoked by

policyDetails.actor.userIdentity.awsService.invokedBy

For an action performed by an account that belongs to an AWS service, the name of the service.

policyDetails.actor.userIdentity.federatedUser.accessKeyId

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the AWS access key ID that identifies the credentials.

This field isn't available as a filter option on the console.

User identity federated session ARN*

policyDetails.actor.userIdentity.federatedUser.arn

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the ARN of the entity that was used to get the credentials.

User identity federated user account id*

policyDetails.actor.userIdentity.federatedUser.accountId

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the unique identifier for the AWS account that owns the entity that was used to get the credentials.

User identity federated user principal id*

policyDetails.actor.userIdentity.federatedUser.principalId

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the unique identifier for the entity that was used to get the credentials.

policyDetails.actor.userIdentity.federatedUser.sessionContext.\n

sessionIssuer.type

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the source of the temporary security credentials—for example, Root, IAMUser, or Role.

This field isn't available as a filter option on the console.

policyDetails.actor.userIdentity.federatedUser.sessionContext.\n

sessionIssuer.userName

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the name or alias of the user or role that issued the session. Note that this value is null if the credentials were obtained from a root account that doesn't have an alias.

This field isn't available as a filter option on the console.

User identity IAM account id*

policyDetails.actor.userIdentity.iamUser.accountId

For an action performed using an IAM user's credentials, the unique identifier for the AWS account that's associated with the IAM user who performed the action.

User identity IAM principal id*

policyDetails.actor.userIdentity.iamUser.principalId

For an action performed using an IAM user's credentials, the unique identifier for the IAM user who performed the action.

User identity IAM user name*

policyDetails.actor.userIdentity.iamUser.userName

For an action performed using an IAM user's credentials, the username of the IAM user who performed the action.

User identity root account id*

policyDetails.actor.userIdentity.root.accountId

For an action performed using the credentials for your AWS account, the unique identifier for the account.

User identity root principal id*

policyDetails.actor.userIdentity.root.principalId

For an action performed using the credentials for your AWS account, the unique identifier for the entity that performed the action.

User identity type

policyDetails.actor.userIdentity.type

The type of entity that performed the action that produced the finding.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values for the API, see UserIdentityType in the Amazon Macie API Reference.

* To specify multiple values for this field on the console, add a condition that uses the field and specifies a distinct value for the filter, and then repeat that step for each additional value. To do this with the API, use an array that lists the values to use for the filter.

Fields for sensitive data findings

The following table lists and describes fields that you can use to filter sensitive data findings. These fields store data that's specific to sensitive data findings.

In the table, the Field column indicates the name of the field on the Amazon Macie console. The JSON field column uses dot notation to indicate the name of the field in JSON representations of findings and the Amazon Macie API. The Description column provides a brief description of the data that the field stores, and indicates any requirements for filter values. The table is sorted in ascending alphabetical order by field, and then by JSON field.

Field JSON field Description

Custom data identifier ID*

classificationDetails.result.customDataIdentifiers.detections.arn

The unique identifier for the custom data identifier that detected the data and produced the finding.

Custom data identifier name*

classificationDetails.result.customDataIdentifiers.detections.name

The name of the custom data identifier that detected the data and produced the finding.

Custom data identifier total count

classificationDetails.result.customDataIdentifiers.detections.count

The total number of occurrences of data that was detected by custom data identifiers and produced the finding.

You can use this field to define a numeric range for a filter.

Job ID*

classificationDetails.jobId

The unique identifier for the sensitive data discovery job that produced the finding.

Origin type

classificationDetails.originType

How Macie found the sensitive data that produced the finding: AUTOMATED_SENSITIVE_DATA_DISCOVERY or SENSITIVE_DATA_DISCOVERY_JOB.

classificationDetails.result.mimeType

The type of content, as a MIME type, that the finding applies to—for example, text/csv for a CSV file or application/pdf for an Adobe Portable Document Format file.

This field isn't available as a filter option on the console.

classificationDetails.result.sizeClassified

The total storage size, in bytes, of the S3 object that the finding applies to.

This field isn't available as a filter option on the console. With the API, you can use this field to define a numeric range for a filter.

Result status code*

classificationDetails.result.status.code

The status of the finding. Valid values are:

  • COMPLETE – Macie completed its analysis of the object.

  • PARTIAL – Macie analyzed only a subset of the data in the object. For example, the object is an archive file that contains files in an unsupported format.

  • SKIPPED – Macie wasn't able to analyze the object. For example, the object is a malformed file.

Sensitive data category

classificationDetails.result.sensitiveData.category

The category of sensitive data that was detected and produced the finding.

The console provides a list of values to choose from when you add this field to a filter. In the API, valid values are: CREDENTIALS, FINANCIAL_INFORMATION, and PERSONAL_INFORMATION.

Sensitive data detection type

classificationDetails.result.sensitiveData.detections.type

The type of sensitive data that was detected and produced the finding. This is the unique identifier for the managed data identifier that detected the data.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values for both the console and the API, see Quick reference: Managed data identifiers by type.

Sensitive data total count

classificationDetails.result.sensitiveData.detections.count

The total number of occurrences of the type of sensitive data that was detected and produced the finding.

You can use this field to define a numeric range for a filter.

* To specify multiple values for this field on the console, add a condition that uses the field and specifies a distinct value for the filter, and then repeat that step for each additional value. To do this with the API, use an array that lists the values to use for the filter.