Tagging Amazon Macie resources - Amazon Macie
Tagging fundamentalsUsing tags in IAM policiesAdding tags to resourcesReviewing tags for resourcesEditing tags for resourcesRemoving tags from resources

Tagging Amazon Macie resources

A tag is a label that you can define and assign to AWS resources, including certain types of Amazon Macie resources. Tags can help you identify, categorize, and manage resources in different ways, such as by purpose, owner, environment, or other criteria. For example, you can use tags to apply policies, allocate costs, distinguish between versions of resources, or identify resources that support certain compliance requirements.

You can assign tags to the following types of Macie resources: custom data identifiers; filter and suppression rules for findings; and, sensitive data discovery jobs. If you're the Macie administrator for an organization, you can also assign tags to member accounts in your organization. A resource can have as many as 50 tags.

Tagging fundamentals

Each tag consists of a required tag key and an optional tag value, both of which you define. A tag key is a general label that acts as a category for more specific tag values. A tag value acts as a descriptor for a tag key.

For example, if you create custom data identifiers and sensitive data discovery jobs to analyze data at different points in a workflow (one set for staged data and another for production data), you might assign a Stack tag key to those resources. The value of the Stack tag key might be Staging for custom data identifiers and jobs that are designed to analyze staged data, and Production for the others.

As you define and assign tags to resources, keep the following in mind:

  • Each resource can have a maximum of 50 tags.

  • For each resource, each tag key must be unique and it can have only one tag value.

  • Tag keys and values are case sensitive. As a best practice, we recommend that you define a strategy for capitalizing tags and implement that strategy consistently across your resources.

  • A tag key can have a maximum of 128 characters. A tag value can have a maximum of 256 characters. The characters can be letters, numbers, spaces (representable in UTF-8), or the following symbols: _ . : / = + - @

  • The aws: prefix is reserved for use by AWS. You can’t use it in any tag keys or values that you define. In addition, you can't change or remove tag keys or values that use this prefix. Tags that use this prefix don’t count against the quota of 50 tags per resource.

  • Any tags that you assign are available only for your AWS account and only in the AWS Region in which you assign them.

For additional restrictions, tips, and best practices, see Tagging AWS resources in the Amazon Web Services General Reference.

Important

Do not store confidential or other types of sensitive data in tags. Tags are accessible from many AWS services, including AWS Billing and Cost Management. They aren't intended to be used for sensitive data.

To add and manage tags for Macie resources, you can use the Amazon Macie console, the Amazon Macie API, the Tag Editor on the AWS Resource Groups console, or the AWS Resource Groups Tagging API. With Macie, you can add tags to a resource when you create the resource. You can also add and manage tags for individual existing resources. With Resource Groups, you can add and manage tags in bulk for multiple existing resources spanning multiple AWS services, including Macie. For more information, see the AWS Resource Groups and Tags User Guide.

Using tags in IAM policies

After you start tagging resources, you can define tag-based, resource-level permissions in AWS Identity and Access Management (IAM) policies. By using tags in this way, you can implement granular control of which users and roles in your AWS account have permission to create and tag resources, and which users and roles have permission to add, edit, and remove tags more generally. To control access based on tags, you can use tag-related condition keys in the Condition element of IAM policies.

For example, you can create a policy that allows a user to have full access to all Amazon Macie resources, if the Owner tag for the resource specifies their user name:

{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid": "ModifyResourceIfOwner",
            "Effect": "Allow",
            "Action": "macie2:*",
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {"aws:ResourceTag/Owner": "${aws:username}"}
            }
        }
    ]
}

If you define tag-based, resource-level permissions, the permissions take effect immediately. This means that your resources are more secure as soon as they're created, and you can quickly start enforcing the use of tags for new resources. You can also use resource-level permissions to control which tag keys and values can be associated with new and existing resources. For more information, see Controlling access to AWS resources using tags in the IAM User Guide.

Adding tags to Amazon Macie resources

To add tags to an individual Amazon Macie resource, you can use the Amazon Macie console or the Amazon Macie API. To add tags to multiple Macie resources at the same time, use the Tag Editor on the AWS Resource Groups console or the tagging operations of the AWS Resource Groups Tagging API.

Important

Adding tags to a resource can affect access to the resource. Before you add a tag to a resource, review any AWS Identity and Access Management (IAM) policies that might use tags to control access to resources.

Console

When you create a custom data identifier or a sensitive data discovery job, the Amazon Macie console provides options for adding tags to the resource. To add tags to a filter or suppression rule or a member account in an organization, you have to create the resource before you can add tags to it.

Follow these steps to add one or more tags to an existing resource by using the Amazon Macie console.

To add a tag to a resource

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. Depending on the type of resource that you want to add a tag to, do one of the following:

    • For a custom data identifier, choose Custom data identifiers in the navigation pane.

      Then, in the table, select the check box for the custom data identifier. Then choose Manage tags on the Actions menu.

    • For a filter or suppression rule, choose Findings in the navigation pane.

      Then, in the Saved rules list, choose the edit icon ( A box with a pencil ) next to the rule. Then choose Manage tags.

    • For a member account in your organization, choose Accounts in the navigation pane.

      Then, in the table, select the check box for the account. Then choose Manage tags on the Actions menu.

    • For a sensitive data discovery job, choose Jobs in the navigation pane.

      Then, in the table, select the check box for the job. Then choose Manage tags on the Actions menu.

  3. In the Manage tags window, choose Edit tags.

  4. Choose Add tag.

  5. In the Key box, enter the tag key for the tag to add to the resource. Then, in the Value box, optionally enter a tag value for the key.

    A tag key can contain as many as 128 characters. A tag value can contain as many as 256 characters. The characters can be letters, numbers, spaces, or the following symbols: _ . : / = + - @

  6. (Optional) To add another tag to the resource, choose Add tag, and then repeat the preceding step. You can assign as many as 50 tags to a resource.

  7. When you finish adding tags, choose Save.

API

To create a resource and add one or more tags to it programmatically, use the appropriate Create operation for the type of resource that you want to create:

To add one or more tags to an existing resource, use the TagResource operation of the Amazon Macie API or, if you're using the AWS CLI, run the tag-resource command.

In your request, use the tags parameter to specify the tag key (key) and optional tag value (value) for each tag to add to the resource. The tags parameter specifies a string-to-string map of tag keys and their associated tag values.

For example, the following AWS CLI command adds a Stack tag key with a Production tag value to the specified job. This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

C:\> aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tags={\"Stack\":\"Production\"}

Where:

  • resource-arn is the Amazon Resource Name (ARN) of the job to add a tag to.

  • Stack is the tag key of the tag to add to the job.

  • Production is the tag value for the specified tag key (Stack).

In the following example, the command adds several tags to the job:

C:\> aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tags={\"Owner\":\"jane-doe\",\"CostCenter\":\"12345\",\"Stack\":\"Production\"}

For each tag in a tags map, both the key and value arguments are required. However, the value for the value argument can be an empty string. If you don’t want to associate a tag value with a tag key, don't specify a value for the value argument. For example, the following AWS CLI command adds an Owner tag key with no associated tag value:

C:\> aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tags={\"Owner\":\"\"}

If a tagging operation succeeds, Macie returns an empty HTTP 204 response. Otherwise, Macie returns an HTTP 4xx or 500 response that indicates why the operation failed.

Reviewing tags for Amazon Macie resources

You can review the tags (both tag keys and tag values) for an Amazon Macie resource by using the Amazon Macie console or the Amazon Macie API. If you prefer to do this for multiple Macie resources at the same time, you can use the Tag Editor on the AWS Resource Groups console or the AWS Resource Groups Tagging API.

Console

Follow these steps to review a resource's tags by using the Amazon Macie console.

To review the tags for a resource

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. Depending on the type of resource whose tags you want to review, do one of the following:

    • For a custom data identifier, choose Custom data identifiers in the navigation pane.

      Then, in the table, select the check box for the custom data identifier. Then choose Manage tags on the Actions menu.

    • For a filter or suppression rule, choose Findings in the navigation pane.

      Then, in the Saved rules list, choose the edit icon ( A box with a pencil ) next to the rule. Then choose Manage tags.

    • For a member account in your organization, choose Accounts in the navigation pane.

      Then, in the table, select the check box for the account. Then choose Manage tags on the Actions menu.

    • For a sensitive data discovery job, choose Jobs in the navigation pane.

      Then, in the table, select the check box for the job. Then choose Manage tags on the Actions menu.

    The Manage tags window lists all the tags that are currently assigned to the resource. For example, the following image shows the tags that are assigned to a custom data identifier.

    The Manage tags window. The window contains a table that lists the tag key and tag value for each of three tags.

    In this example, three tags are assigned to the custom data identifier: the Owner tag key with no associated tag value; the CostCenter tag key with 12345 as an associated tag value; and, the Stack tag key with Production as an associated tag value.

  3. When you finish reviewing the tags, choose Cancel to close the window.

API

To retrieve and review the tags for an existing resource programmatically, use the ListTagsForResource operation of the Amazon Macie API. In your request, use the resourceArn parameter to specify the Amazon Resource Name (ARN) of the resource.

If you're using the AWS CLI, run the list-tags-for-resource command and use the resource-arn parameter to specify the ARN of the resource. For example:

C:\> aws macie2 list-tags-for-resource --resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample

If the operation succeeds, Macie returns a tags object that lists all the tags (both tag keys and tag values) for the resource. For example:

{
    "tags": {
        "Stack": "Production",
        "CostCenter": "12345",
        "Owner": ""
    }
}

Where Stack, CostCenter, and Owner are the tag keys that are assigned to the resource. Production is the tag value that's associated with the Stack tag key. 12345 is the tag value that's associated with the CostCenter tag key. The Owner tag key doesn't have an associated tag value.

To retrieve a list of all the Macie resources that have tags and all the tags that are assigned to each of those resources, use the GetResources operation of the AWS Resource Groups Tagging API. In your request, set the value for the ResourceTypeFilters parameter to macie2. To do this using the AWS CLI, run the get-resources command and set the value for the resource-type-filters parameter to macie2. For example:

C:\> aws resourcegroupstaggingapi get-resources --resource-type-filters "macie2"

If the operation succeeds, Resource Groups returns a ResourceTagMappingList array that contains the ARNs of all the Macie resources that have tags, and the tag keys and values that are assigned to each of those resources.

Editing tags for Amazon Macie resources

To edit the tags (tag keys or tag values) for an Amazon Macie resource, you can use the Amazon Macie console or the Amazon Macie API. To do this for multiple Macie resources at the same time, use the Tag Editor on the AWS Resource Groups console or the AWS Resource Groups Tagging API.

Important

Editing the tags for a resource can affect access to the resource. Before you edit a tag key or value for a resource, review any AWS Identity and Access Management (IAM) policies that might use the tag to control access to resources.

Console

Follow these steps to edit a resource's tags by using the Amazon Macie console.

To edit the tags for a resource

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. Depending on the type of resource whose tags you want to edit, do one of the following:

    • For a custom data identifier, choose Custom data identifiers in the navigation pane.

      Then, in the table, select the check box for the custom data identifier. Then choose Manage tags on the Actions menu.

    • For a filter or suppression rule, choose Findings in the navigation pane.

      Then, in the Saved rules list, choose the edit icon ( A box with a pencil ) next to the rule. Then choose Manage tags.

    • For a member account in your organization, choose Accounts in the navigation pane.

      Then, in the table, select the check box for the account. Then choose Manage tags on the Actions menu.

    • For a sensitive data discovery job, choose Jobs in the navigation pane.

      Then, in the table, select the check box for the job. Then choose Manage tags on the Actions menu.

  3. In the Manage tags window, choose Edit tags.

  4. Do any of the following:

    • To add a tag value to a tag key, enter the value in the Value box next to the tag key.

    • To change an existing tag key, choose Remove next to the tag. Then choose Add tag. In the Key box that appears, enter the new tag key. Optionally enter an associated tag value in the Value box.

    • To change an existing tag value, choose X in the Value box that contains the value. Then enter the new tag value in the Value box.

    • To remove an existing tag value, choose X in the Value box that contains the value.

    • To remove an existing tag (both the tag key and tag value), choose Remove next to the tag.

    A resource can have as many as 50 tags. A tag key can contain as many as 128 characters. A tag value can contain as many as 256 characters. The characters can be letters, numbers, spaces, or the following symbols: _ . : / = + - @

  5. When you finish editing the tags, choose Save.

API

When you edit a tag for a resource programmatically, you overwrite the existing tag with new values. Therefore, the best way to edit a tag depends on whether you want to edit a tag key, a tag value, or both. To edit a tag key, remove the current tag and add a new tag.

To edit or remove only the tag value that's associated with a tag key, overwrite the existing value by using the TagResource operation of the Amazon Macie API or, if you're using the AWS CLI, running the tag-resource command. In your request, use the tags parameter to specify the tag key whose tag value you want to change, and specify the new tag value for the key.

For example, the following command changes the tag value from Production to Staging for the Stack tag key that's assigned to the specified sensitive data discovery job. This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

C:\> aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tags={\"Stack\":\"Staging\"}

Where:

  • resource-arn is the Amazon Resource Name (ARN) of the job.

  • Stack is the tag key that's associated with the tag value to change.

  • Staging is the new tag value for the specified tag key (Stack).

To remove the tag value for a tag key, don’t specify a value for the value argument in the tags parameter. For example:

C:\> aws macie2 tag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tags={\"Stack\":\"\"}

If the operation succeeds, Macie returns an empty HTTP 204 response. Otherwise, Macie returns an HTTP 4xx or 500 response that indicates why the operation failed.

Removing tags from Amazon Macie resources

To remove tags from an Amazon Macie resource, you can use the Amazon Macie console or the Amazon Macie API. To do this for multiple Macie resources at the same time, use the Tag Editor on the AWS Resource Groups console or the AWS Resource Groups Tagging API.

Important

Removing tags from a resource can affect access to the resource. Before you remove a tag, review any AWS Identity and Access Management (IAM) policies that might use the tag to control access to resources.

Console

Follow these steps to remove one or more tags from a resource by using the Amazon Macie console.

To remove a tag from a resource

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. Depending on the type of resource that you want to remove a tag from, do one of the following:

    • For a custom data identifier, choose Custom data identifiers in the navigation pane.

      Then, in the table, select the check box for the custom data identifier. Then choose Manage tags on the Actions menu.

    • For a filter or suppression rule, choose Findings in the navigation pane.

      Then, in the Saved rules list, choose the edit icon ( A box with a pencil ) next to the rule. Then choose Manage tags.

    • For a member account in your organization, choose Accounts in the navigation pane.

      Then, in the table, select the check box for the account. Then choose Manage tags on the Actions menu.

    • For a sensitive data discovery job, choose Jobs in the navigation pane.

      Then, in the table, select the check box for the job. Then choose Manage tags on the Actions menu.

  3. In the Manage tags window, choose Edit tags.

  4. Do any of the following:

    • To remove only the tag value for a tag, choose X in the Value box that contains the value to remove.

    • To remove both the tag key and tag value (as a pair) for a tag, choose Remove next to the tag to remove.

  5. (Optional) To remove more tags from the resource, repeat the preceding step for each additional tag to remove.

  6. When you finish removing tags, choose Save.

API

To remove one or more tags from a resource programmatically, use the UntagResource operation of the Amazon Macie API. In your request, use the resourceArn parameter to specify the Amazon Resource Name (ARN) of the resource to remove a tag from. Use the tagKeys parameter to specify the tag key of the tag to remove. To remove only a specific tag value (not a tag key) from a resource, edit the tag instead of removing the tag.

If you're using the AWS CLI, run the untag-resource command and use the resource-arn parameter to specify the ARN of the resource to remove a tag from. Use the tag-keys parameter to specify the tag key of the tag to remove. For example, the following command removes the Stack tag (both the tag key and tag value) from the specified sensitive data discovery job:

C:\> aws macie2 untag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tag-keys Stack

Where resource-arn is the ARN of the job to remove a tag from, and Stack is the tag key of the tag to remove.

To remove multiple tags from a resource, add each additional tag key as an argument for the tag-keys parameter. For example:

C:\> aws macie2 untag-resource ^
--resource-arn arn:aws:macie2:us-east-1:123456789012:classification-job/3ce05dbb7ec5505def334104bexample ^
--tag-keys Stack Owner

If the operation succeeds, Macie returns an empty HTTP 204 response. Otherwise, Macie returns an HTTP 4xx or 500 response that indicates why the operation failed.