Changing a suppression rule for Macie findings

After you create a suppression rule, you can change the settings for the rule. A suppression rule is a set of attribute-based filter criteria that defines cases where you want Amazon Macie to archive findings automatically. Suppression rules are helpful in situations where you've reviewed a class of findings and don't want to be notified of them again. Each rule consists of a set of filter criteria, a name, and, optionally, a description.

If you change the criteria of a suppression rule, findings that were previously suppressed by the rule continue to be suppressed. The findings continue to have a status of archived and Macie doesn't publish them to Amazon EventBridge or AWS Security Hub. Macie applies the new criteria only to new sensitive data findings, new policy findings, and subsequent occurrences of existing policy findings.

In addition to changing the criteria or other settings for a rule, you can assign tags to a rule. A tag is a label that you define and assign to certain types of AWS resources. Each tag consists of a required tag key and an optional tag value. Tags can help you identify, categorize, and manage resources in different ways, such as by purpose, owner, environment, or other criteria. To learn more, see Tagging Macie resources.

To change a suppression rule for findings

To assign tags or change the settings for a suppression rule, you can use the Amazon Macie console or the Amazon Macie API.

Console

Follow these steps to assign tags or change the settings for a suppression rule by using the Amazon Macie console.

To change a suppression rule

Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
In the navigation pane, choose Findings.
In the Saved rules list, choose the edit icon ( ) next to the suppression rule that you want to change or assign tags to.
Do any of the following:
- To change the criteria of the rule, use the Filter criteria box. In the box, enter conditions that specify attributes of the findings that you want the rule to suppress. To learn how, see Creating and applying filters to Macie findings.
- To change the name of the rule, enter a new name in the Name box under Suppression rule.
- To change the description of the rule, enter a new description in the Description box under Suppression rule.
- To assign tags to the rule, choose Manage tags under Suppression rule. Then add, review, and change the tags as necessary. A rule can have as many as 50 tags.
When you finish making changes, choose Save.

API

To change a suppression rule programmatically, use the UpdateFindingsFilter operation of the Amazon Macie API. When you submit your request, use the supported parameters to specify a new value for each setting that you want to change.

For the id parameter, specify the unique identifier for the rule to change. You can get this identifier by using the ListFindingsFilter operation to retrieve a list of suppression and filter rules for your account. If you're using the AWS Command Line Interface (AWS CLI), run the list-findings-filters command to retrieve this list.

To change a suppression rule by using the AWS CLI, run the update-findings-filter command and use the supported parameters to specify a new value for each setting that you want to change. For example, the following command changes the name of an existing suppression rule.


C:\> aws macie2 update-findings-filter --id 8a3c5608-aa2f-4940-b347-d1451example --name mailing_addresses_only

Where:

8a3c5608-aa2f-4940-b347-d1451example is the unique identifier for the rule.
mailing_addresses_only is the new name for the rule.

If the command runs successfully, you receive output similar to the following.


{
    "arn": "arn:aws:macie2:us-west-2:123456789012:findings-filter/8a3c5608-aa2f-4940-b347-d1451example",
    "id": "8a3c5608-aa2f-4940-b347-d1451example"
}

Where arn is the Amazon Resource Name (ARN) of the rule that was changed, and id is the unique identifier for the rule.

Similarly, the following example converts a filter rule to a suppression rule by changing the value for the action parameter from NOOP to ARCHIVE.


C:\> aws macie2 update-findings-filter --id 8a1c3508-aa2f-4940-b347-d1451example --action ARCHIVE

Where:

8a1c3508-aa2f-4940-b347-d1451example is the unique identifier for the rule.
ARCHIVE is the new action for Macie to perform on findings that match the criteria of the rule—suppress the findings.

If the command runs successfully, you receive output similar to the following:


{
    "arn": "arn:aws:macie2:us-west-2:123456789012:findings-filter/8a1c3508-aa2f-4940-b347-d1451example",
    "id": "8a1c3508-aa2f-4940-b347-d1451example"
}

Where arn is the Amazon Resource Name (ARN) of the rule that was changed, and id is the unique identifier for the rule.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Reviewing suppressed findings

Deleting a suppression rule