Tagging Amazon Macie resources
A tag is an optional label that you can define and assign
to AWS resources, including certain types of Amazon Macie resources. Tags can help you
identify, categorize, and manage resources in different ways, such as by purpose, owner,
environment, or other criteria. For example, you can use tags to apply policies, allocate
costs, distinguish between versions of resources, or identify resources that support certain
compliance requirements or workflows.
You can assign tags to the following types of Macie resources: allow lists, custom data
identifiers, filter rules and suppression rules for findings, and sensitive data discovery
jobs. If you're the Macie administrator for an organization, you can also assign tags to member
accounts in your organization.
A resource can have as many as 50 tags. Each tag consists of a required tag key and an optional tag
value, both of which you define. A tag
key is a general label that acts as a category for a more specific tag
value. A tag value acts as a descriptor for a tag
key.
For example, if you create custom data identifiers and sensitive data discovery jobs to
analyze data at different points in a workflow (one set for staged data and another for
production data), you might assign a Stack
tag key to those resources. The
tag value for this tag key might be Staging
for custom data identifiers and
jobs that are designed to analyze staged data, and Production
for the
others.
As you define and assign tags to resources, keep the following in mind:
-
Each resource can have a maximum of 50 tags.
-
For each resource, each tag key must be unique and it can have only one tag
value.
-
Tag keys and values are case sensitive. As a best practice, we recommend that you define a
strategy for capitalizing tags and implement that strategy consistently across your
resources.
A tag key can have a maximum of 128 UTF-8 characters. A tag value can have a maximum of 256
UTF-8 characters. The characters can be letters, numbers, spaces, or the
following symbols: _ . : / = + - @
-
The aws:
prefix is reserved for use by AWS. You can’t use it in any tag
keys or values that you define. In addition, you can't change or remove tag keys or
values that use this prefix. Tags that use this prefix don’t count against the quota
of 50 tags per resource.
-
Any tags that you assign are available only for your AWS account and only in the
AWS Region in which you assign them.
-
If you delete a resource, any tags that are assigned to the resource are also
deleted.
For additional restrictions, tips, and best practices, see the Tagging AWS Resources User
Guide.
Do not store confidential or other types of sensitive data in tags. Tags are
accessible from many AWS services, including AWS Billing and Cost Management. They aren't intended to be used
for sensitive data.
To add and manage tags for Macie resources, you can use the Amazon Macie console, the Amazon Macie
API, the Tag Editor on the AWS Resource Groups console, or the AWS Resource Groups Tagging API. With Macie,
you can add tags to a resource when you create the resource. You can also add and manage
tags for individual existing resources. With Resource Groups, you can add and manage tags in bulk
for multiple existing resources spanning multiple AWS services, including Macie. For
more information, see the Tagging AWS Resources User Guide.
After you start tagging resources, you can define tag-based, resource-level permissions in
AWS Identity and Access Management (IAM) policies. By using tags in this way, you can implement granular control
of which users and roles in your AWS account have permission to create and tag resources,
and which users and roles have permission to add, edit, and remove tags more generally. To
control access based on tags, you can use tag-related condition keys in the Condition
element of IAM policies.
For example, you can create a policy that allows a user to have full access to all Amazon Macie
resources, if the Owner
tag for the resource specifies their
username:
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ModifyResourceIfOwner",
"Effect": "Allow",
"Action": "macie2:*",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"aws:ResourceTag/Owner": "${aws:username}"}
}
}
]
}
If you define tag-based, resource-level permissions, the permissions take effect
immediately. This means that your resources are more secure as soon as they're created, and
you can quickly start enforcing the use of tags for new resources. You can also use
resource-level permissions to control which tag keys and values can be associated with new
and existing resources. For more information, see Controlling access to AWS resources using
tags in the IAM User Guide.
To add tags to an individual Amazon Macie resource, you can use the Amazon Macie console or the
Amazon Macie API. To add tags to multiple Macie resources at the same time, use the Tag Editor on
the AWS Resource Groups console or the tagging operations of the AWS Resource Groups Tagging
API.
Adding tags to a resource can affect access to the resource. Before you add a tag to a
resource, review any AWS Identity and Access Management (IAM) policies that might use tags to control access to
resources.
- Console
-
When you create an allow list, custom data identifier, or sensitive data discovery job,
the Amazon Macie console provides options for adding tags to the resource.
Follow the instructions on the console to add tags to these types of
resources when you create the resources. To add tags to a filter or
suppression rule or a member account in an organization, you have to create
the resource before you can add tags to it.
To add one or more tags to an existing resource by using the Amazon Macie console, follow
these steps.
To add a tag to a resource
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
Depending on the type of resource that you want to add a tag to, do one
of the following:
-
For an allow list, choose Allow lists in
the navigation pane.
Then, in the table, select the check box for the list. Then choose
Manage tags on the
Actions menu.
-
For a custom data identifier, choose Custom data identifiers in
the navigation pane.
Then, in the table, select the check box for the custom data identifier. Then choose
Manage tags on the
Actions menu.
-
For a filter or suppression rule, choose Findings in the
navigation pane.
Then, in the Saved rules list, choose the edit icon
(
) next to the rule. Then choose
Manage tags.
-
For a member account in your organization, choose Accounts in
the navigation pane.
Then, in the table, select the check box for the account. Then choose
Manage tags on the
Actions menu.
-
For a sensitive data discovery job, choose Jobs in the
navigation pane.
Then, in the table, select the check box for the job. Then choose Manage
tags on the Actions menu.
The Manage tags window lists all the tags that
are currently assigned to the resource.
-
In the Manage tags window, choose Edit tags.
-
Choose Add tag.
-
In the Key box, enter the tag key for the tag to add to the
resource. Then, in the Value box, optionally enter a
tag value for the key.
A tag key can contain as many as 128 characters. A tag value can contain as many as 256
characters. The characters can be letters, numbers, spaces, or the following
symbols: _ . : / = + - @
-
(Optional) To add another tag to the resource, choose Add tag, and
then repeat the preceding step. You can assign as many as 50 tags to a
resource.
-
When you finish adding tags, choose Save.
- API
-
To create a resource and add one or more tags to it programmatically, use the appropriate
Create
operation for the type of resource that you want to
create:
-
Allow list – Use the CreateAllowList operation or, if you're using the
AWS Command Line Interface (AWS CLI), run the create-allow-list command.
-
Custom data identifier – Use the CreateCustomDataIdentifier operation or, if you're
using the AWS CLI, run the create-custom-data-identifier command.
-
Filter or suppression rule – Use the CreateFindingsFilter operation or, if you're using the AWS CLI,
run the create-findings-filter command.
-
Member account – Use the CreateMember operation or, if you're using the AWS CLI, run the
create-member command.
-
Sensitive data discovery job – Use the CreateClassificationJob operation or, if you're using the AWS CLI,
run the create-classification-job command.
In your request, use the tags
parameter to specify the tag
key (key
) and optional tag value (value
) for each
tag to add to the resource. The tags
parameter specifies a
string-to-string map of tag keys and their associated tag values.
To add one or more tags to an existing resource, use the TagResource operation of the Amazon Macie API or, if you're using
the AWS CLI, run the tag-resource
command. In your request, specify the Amazon Resource Name (ARN) of the
resource that you want to add a tag to. Use the tags
parameter
to specify the tag key (key
) and optional tag value
(value
) for each tag to add to the resource. As is the case
for Create
operations and commands, the tags
parameter specifies a string-to-string map of tag keys and their associated
tag values.
For example, the following AWS CLI command adds a Stack
tag key with
a Production
tag value to the specified job.
This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.
C:\>
aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample
^
--tags={\"Stack
\":\"Production
\"}
Where:
-
resource-arn
specifies the ARN of the job to add a tag to.
-
Stack
is the tag key of the tag to add to the
job.
-
Production
is the tag value for the specified
tag key (Stack
).
In the following example, the command adds several tags to the job:
C:\>
aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample
^
--tags={\"Stack
\":\"Production
\",\"CostCenter
\":\"12345
\",\"Owner
\":\"jane-doe
\"}
For each tag in a tags
map, both the key
and value
arguments are required. However, the value for the value
argument can
be an empty string. If you don’t want to associate a tag value with a tag key,
don't specify a value for the value
argument. For example, the
following AWS CLI command adds an Owner
tag key with no associated tag
value:
C:\>
aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample
^
--tags={\"Owner
\":\"\"}
If a tagging operation succeeds, Macie returns an empty HTTP 204 response. Otherwise,
Macie returns an HTTP 4xx or 500 response
that indicates why the operation failed.
You can review the tags (both tag keys and tag values) for an Amazon Macie resource by using
the Amazon Macie console or the Amazon Macie API. If you prefer to do this for multiple Macie
resources at the same time, you can use the Tag Editor on the AWS Resource Groups
console or the tagging operations of the AWS Resource Groups Tagging
API.
- Console
-
Follow these steps to review a resource's tags by using the Amazon Macie console.
To review the tags for a resource
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
Depending on the type of resource whose tags you want to review, do one
of the following:
-
For an allow list, choose Allow lists in
the navigation pane.
Then, in the table, select the check box for the list. Then choose
Manage tags on the
Actions menu.
-
For a custom data identifier, choose Custom data identifiers in
the navigation pane.
Then, in the table, select the check box for the custom data identifier. Then choose
Manage tags on the
Actions menu.
-
For a filter or suppression rule, choose Findings in the
navigation pane.
Then, in the Saved rules list, choose the edit icon
(
) next to the rule. Then choose
Manage tags.
-
For a member account in your organization, choose Accounts in
the navigation pane.
Then, in the table, select the check box for the account. Then choose
Manage tags on the
Actions menu.
-
For a sensitive data discovery job, choose Jobs in the
navigation pane.
Then, in the table, select the check box for the job. Then choose Manage
tags on the Actions menu.
The Manage tags window lists all the tags that are currently
assigned to the resource. For example, the following image shows the tags
that are assigned to a custom data identifier.
In this example, three tags are assigned to the custom data identifier: the
Owner tag key with no associated tag value; the
CostCenter tag key with 12345
as an associated tag value; and, the Stack tag key with
Production as an associated tag value.
-
When you finish reviewing the tags, choose Cancel to close the
window.
- API
-
To retrieve and review the tags for an existing resource programmatically, you can use
the appropriate Get
or Describe
operation for the
type of resource that you want to review tags for. For example, if you use
the GetCustomDataIdentifier operation or you run the get-custom-data-identifier command from the AWS Command Line Interface (AWS CLI),
the response includes a tags
object. The object lists all the
tags (both tag keys and tag values) that are currently assigned to the
resource.
You can also use the ListTagsForResource operation of the Amazon Macie API. In your
request, use the resourceArn
parameter to specify the Amazon
Resource Name (ARN) of the resource. If you're using the AWS CLI, run the
list-tags-for-resource command and use the
resource-arn
parameter to specify the ARN of the resource.
For example:
C:\>
aws macie2 list-tags-for-resource --resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample
In the preceding example,
arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample
is the ARN of an existing sensitive data discovery job.
If the operation succeeds, Macie returns a tags
object that lists all the
tags (both tag keys and tag values) that are currently assigned to the
resource. For example:
{
"tags": {
"Stack": "Production",
"CostCenter": "12345",
"Owner": ""
}
}
Where Stack
, CostCenter
, and Owner
are the tag
keys that are assigned to the resource. Production
is the tag value
that's associated with the Stack
tag key. 12345
is the
tag value that's associated with the CostCenter
tag key. The
Owner
tag key doesn't have an associated tag value.
To retrieve a list of all the Macie resources that have tags and all the tags that are
assigned to each of those resources, use the GetResources operation of the AWS Resource Groups Tagging API. In your request,
set the value for the ResourceTypeFilters
parameter to
macie2
. To do this using the AWS CLI, run the get-resources command and set the value for the
resource-type-filters
parameter to macie2
. For
example:
C:\>
aws resourcegroupstaggingapi get-resources --resource-type-filters "macie2"
If the operation succeeds, Resource Groups returns a ResourceTagMappingList
array that
contains the ARNs of all the Macie resources that have tags, and the tag keys and
values that are assigned to each of those resources.
To edit the tags (tag keys or tag values) for an Amazon Macie resource, you can use the
Amazon Macie console or the Amazon Macie API. To do this for multiple Macie resources at the
same time, use the Tag Editor on the AWS Resource Groups
console or the tagging operations of the AWS Resource Groups Tagging
API.
Editing the tags for a resource can affect access to the resource. Before you edit a tag
key or value for a resource, review any AWS Identity and Access Management (IAM) policies that might use the
tag to control access to resources.
- Console
-
Follow these steps to edit a resource's tags by using the Amazon Macie console.
To edit the tags for a resource
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
Depending on the type of resource whose tags you want to edit, do one of
the following:
-
For an allow list, choose Allow lists in
the navigation pane.
Then, in the table, select the check box for the list. Then choose
Manage tags on the
Actions menu.
-
For a custom data identifier, choose Custom data identifiers in
the navigation pane.
Then, in the table, select the check box for the custom data identifier. Then choose
Manage tags on the
Actions menu.
-
For a filter or suppression rule, choose Findings in the
navigation pane.
Then, in the Saved rules list, choose the edit icon
(
) next to the rule. Then choose
Manage tags.
-
For a member account in your organization, choose Accounts in
the navigation pane.
Then, in the table, select the check box for the account. Then choose
Manage tags on the
Actions menu.
-
For a sensitive data discovery job, choose Jobs in the
navigation pane.
Then, in the table, select the check box for the job. Then choose Manage
tags on the Actions menu.
The Manage tags window lists all the tags that
are currently assigned to the resource.
-
In the Manage tags window, choose Edit tags.
-
Do any of the following:
-
To add a tag value to a tag key, enter the value in the
Value box next to the tag key.
-
To change an existing tag key, choose Remove
next to the tag. Then choose Add tag. In the
Key box that appears, enter the new tag key.
Optionally enter an associated tag value in the
Value box.
-
To change an existing tag value, choose X in the
Value box that contains the value. Then enter
the new tag value in the Value box.
-
To remove an existing tag value, choose X in the
Value box that contains the value.
-
To remove an existing tag (both the tag key and tag value), choose
Remove next to the tag.
A resource can have as many as 50 tags. A tag key can contain as many as 128
characters. A tag value can contain as many as 256 characters. The
characters can be letters, numbers, spaces, or the following symbols: _ . :
/ = + - @
-
When you finish editing the tags, choose
Save.
- API
-
When you edit a tag for a resource programmatically, you overwrite the existing tag with
new values. Therefore, the best way to edit a tag depends on whether you want to
edit a tag key, a tag value, or both. To edit a tag key, remove the current tag and add a new tag.
To edit or remove only the tag value that's associated with a tag key, overwrite the existing
value by using the TagResource operation of the Amazon Macie API or, if you're using
the AWS Command Line Interface (AWS CLI), running the tag-resource
command. In your request, specify the Amazon Resource Name (ARN) of the
resource whose tag value you want to edit or remove.
To edit a tag value for a tag key, use the tags
parameter to
specify the tag key whose tag value you want to change, and specify the new
tag value for the key. For example, the following command changes the tag
value from Production
to Staging
for the
Stack
tag key that's assigned to the specified sensitive
data discovery job. This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.
C:\>
aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample
^
--tags={\"Stack
\":\"Staging
\"}
Where:
-
resource-arn
specifies the job's ARN.
-
Stack
is the tag key that's associated with
the tag value to change.
-
Staging
is the new tag value for the specified
tag key (Stack
).
To remove a tag value from a tag key, don’t specify a value for the value
argument in the tags
parameter. For example:
C:\>
aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample
^
--tags={\"Stack
\":\"\"}
If the operation succeeds, Macie returns an empty HTTP 204 response. Otherwise, Macie
returns an HTTP 4xx or 500 response that
indicates why the operation failed.
To remove tags from an Amazon Macie resource, you can use the Amazon Macie console or the
Amazon Macie API. To do this for multiple Macie resources at the same time, use the Tag
Editor on the AWS Resource Groups console or the tagging operations of the AWS Resource Groups Tagging API.
Removing tags from a resource can affect access to the resource. Before you remove a tag,
review any AWS Identity and Access Management (IAM) policies that might use the tag to control access to
resources.
- Console
-
Follow these steps to remove one or more tags from a resource by using the Amazon Macie
console.
To remove a tag from a resource
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
Depending on the type of resource that you want to remove a tag from, do one of the
following:
-
For an allow list, choose Allow lists in
the navigation pane.
Then, in the table, select the check box for the list. Then choose
Manage tags on the
Actions menu.
-
For a custom data identifier, choose Custom data identifiers in
the navigation pane.
Then, in the table, select the check box for the custom data identifier. Then choose
Manage tags on the
Actions menu.
-
For a filter or suppression rule, choose Findings in the
navigation pane.
Then, in the Saved rules list, choose the edit icon
(
) next to the rule. Then choose
Manage tags.
-
For a member account in your organization, choose Accounts in
the navigation pane.
Then, in the table, select the check box for the account. Then choose
Manage tags on the
Actions menu.
-
For a sensitive data discovery job, choose Jobs in the
navigation pane.
Then, in the table, select the check box for the job. Then choose Manage
tags on the Actions menu.
The Manage tags window lists all the tags that
are currently assigned to the resource.
-
In the Manage tags window, choose Edit tags.
-
Do any of the following:
-
To remove only the tag value for a tag, choose X in the
Value box that contains the value to
remove.
-
To remove both the tag key and tag value (as a pair) for a tag, choose
Remove next to the tag to remove.
-
(Optional) To remove more tags from the resource, repeat the preceding step for each
additional tag to remove.
-
When you finish removing tags, choose Save.
- API
-
To remove one or more tags from a resource programmatically, use the UntagResource operation of the Amazon Macie API. In your request, use the
resourceArn
parameter to specify the Amazon Resource Name (ARN) of
the resource to remove a tag from. Use the tagKeys
parameter to
specify the tag key of the tag to remove. To remove only a specific tag value (not
a tag key) from a resource, edit the tag
instead of removing the tag.
If you're using the AWS Command Line Interface (AWS CLI), run the untag-resource
command and use the resource-arn
parameter to specify the ARN of the
resource to remove a tag from. Use the tag-keys
parameter to specify
the tag key of the tag to remove. For example, the following command removes the
Stack
tag (both the tag key and tag value) from the specified
sensitive data discovery job:
C:\>
aws macie2 untag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample
^
--tag-keys Stack
Where resource-arn
specifies the ARN of the job to remove a tag from, and
Stack
is the tag key of the
tag to remove.
To remove multiple tags from a resource, add each additional tag key as an argument for
the tag-keys
parameter. For example:
C:\>
aws macie2 untag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample
^
--tag-keys Stack
Owner
Where resource-arn
specifies the ARN of the job to remove
tags from, and Stack
and
Owner
are the tag keys of
the tags to remove.
If the operation succeeds, Macie returns an empty HTTP 204 response. Otherwise, Macie
returns an HTTP 4xx or 500 response that
indicates why the operation failed.