Resource Sensitivity Profile - Amazon Macie

Resource Sensitivity Profile

The Resource Sensitivity Profile resource provides statistical data for sensitive data discovery metrics that apply to individual Amazon Simple Storage Service (Amazon S3) buckets for your account. If you're the Amazon Macie administrator for an organization, this includes S3 buckets that your member accounts own.

For each S3 bucket, the data includes metrics such as:

  • The number of objects that Amazon Macie has analyzed.

  • The number of objects that Macie has found sensitive data in.

  • The number of occurrences of sensitive data that Macie has found.

The data captures the results of automated sensitive data discovery activities that Macie has performed for an S3 bucket. For more information, see Performing automated sensitive data discovery in the Amazon Macie User Guide.

This resource also provides access to the sensitivity score for individual S3 buckets. By default, Macie calculates this score based on the intersection of two primary dimensions: the amount of data that Macie has analyzed in a bucket, and the amount of sensitive data that Macie has found in a bucket. If you're a Macie administrator or you have a standalone Macie account, you can optionally override the calculated score for a bucket. You can assign the maximum score (100), which also applies the Sensitive label to the bucket. If you override the calculated score, Macie continues to perform automated sensitive data discovery for the bucket. However, later analyses don't affect the bucket's score.

You can use the Resource Sensitivity Profile resource to retrieve (query) sensitive data discovery statistics and the sensitivity score for an S3 bucket. If you're a Macie administrator or you have a standalone Macie account, you can also use this resource to change the sensitivity score for a bucket.

To use this resource, you must first enable automated sensitive data discovery. To enable it for an organization or a standalone account, use the Configuration resource for automated sensitive data discovery. To enable it for a member account in an organization, use the Accounts resource for automated sensitive data discovery.

URI

/resource-profiles

HTTP methods

GET

Operation ID: GetResourceProfile

Retrieves (queries) sensitive data discovery statistics and the sensitivity score for an S3 bucket.

Query parameters
NameTypeRequiredDescription
resourceArnStringTrue

The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.

Responses
Status codeResponse modelDescription
200GetResourceProfileResponse

The request succeeded.

400ValidationException

The request failed because the input doesn't satisfy the constraints specified by the service.

402ServiceQuotaExceededException

The request failed because fulfilling the request would exceed one or more service quotas for your account.

403AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

404ResourceNotFoundException

The request failed because the specified resource wasn't found.

429ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

PATCH

Operation ID: UpdateResourceProfile

Updates the sensitivity score for an S3 bucket.

Query parameters
NameTypeRequiredDescription
resourceArnStringTrue

The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.

Responses
Status codeResponse modelDescription
200Empty Schema

The request succeeded. The S3 bucket's sensitivity score was updated and there isn't any content to include in the body of the response (No Content).

400ValidationException

The request failed because the input doesn't satisfy the constraints specified by the service.

402ServiceQuotaExceededException

The request failed because fulfilling the request would exceed one or more service quotas for your account.

403AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

404ResourceNotFoundException

The request failed because the specified resource wasn't found.

429ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

Schemas

Request bodies

Response bodies

{ }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }

Properties

AccessDeniedException

Provides information about an error that occurred due to insufficient access to a specified resource.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

Empty

The request succeeded and there isn't any content to include in the body of the response (No Content).

GetResourceProfileResponse

Provides sensitive data discovery statistics and the sensitivity score for an S3 bucket that Amazon Macie monitors and analyzes for an account. This data is available only if automated sensitive data discovery has been enabled for the account.

PropertyTypeRequiredDescription
profileUpdatedAt

string

Format: date-time

True

The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently recalculated sensitive data discovery statistics and details for the bucket. If the bucket's sensitivity score is calculated automatically, this includes the score.

sensitivityScore

integer

Format: int32

True

The current sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive). By default, this score is calculated automatically based on the amount of data that Amazon Macie has analyzed in the bucket and the amount of sensitive data that Macie has found in the bucket.

sensitivityScoreOverridden

boolean

False

Specifies whether the bucket's current sensitivity score was set manually. If this value is true, the score was manually changed to 100. If this value is false, the score was calculated automatically by Amazon Macie.

statistics

ResourceStatistics

True

The sensitive data discovery statistics for the bucket. The statistics capture the results of automated sensitive data discovery activities that Amazon Macie has performed for the bucket.

InternalServerException

Provides information about an error that occurred due to an unknown internal server error, exception, or failure.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ResourceNotFoundException

Provides information about an error that occurred because a specified resource wasn't found.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ResourceStatistics

Provides statistical data for sensitive data discovery metrics that apply to an S3 bucket that Amazon Macie monitors and analyzes for an account, if automated sensitive data discovery has been enabled for the account. The data captures the results of automated sensitive data discovery activities that Macie has performed for the bucket.

PropertyTypeRequiredDescription
totalBytesClassified

integer

Format: int64

False

The total amount of data, in bytes, that Amazon Macie has analyzed in the bucket.

totalDetections

integer

Format: int64

False

The total number of occurrences of sensitive data that Amazon Macie has found in the bucket's objects. This includes occurrences that are currently suppressed by the sensitivity scoring settings for the bucket (totalDetectionsSuppressed).

totalDetectionsSuppressed

integer

Format: int64

False

The total number of occurrences of sensitive data that are currently suppressed by the sensitivity scoring settings for the bucket. These represent occurrences of sensitive data that Amazon Macie found in the bucket's objects, but the occurrences were manually suppressed. By default, suppressed occurrences are excluded from the bucket's sensitivity score.

totalItemsClassified

integer

Format: int64

False

The total number of objects that Amazon Macie has analyzed in the bucket.

totalItemsSensitive

integer

Format: int64

False

The total number of the bucket's objects that Amazon Macie has found sensitive data in.

totalItemsSkipped

integer

Format: int64

False

The total number of objects that Amazon Macie wasn't able to analyze in the bucket due to an object-level issue or error. For example, an object is a malformed file. This value includes objects that Macie wasn't able to analyze for reasons reported by other statistics in the ResourceStatistics object.

totalItemsSkippedInvalidEncryption

integer

Format: int64

False

The total number of objects that Amazon Macie wasn't able to analyze in the bucket because the objects are encrypted with a key that Macie can't access. The objects use server-side encryption with customer-provided keys (SSE-C).

totalItemsSkippedInvalidKms

integer

Format: int64

False

The total number of objects that Amazon Macie wasn't able to analyze in the bucket because the objects are encrypted with AWS KMS keys that were disabled, are scheduled for deletion, or were deleted.

totalItemsSkippedPermissionDenied

integer

Format: int64

False

The total number of objects that Amazon Macie wasn't able to analyze in the bucket due to the permissions settings for the objects or the permissions settings for the keys that were used to encrypt the objects.

ServiceQuotaExceededException

Provides information about an error that occurred due to one or more service quotas for an account.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ThrottlingException

Provides information about an error that occurred because too many requests were sent during a certain amount of time.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

UpdateResourceProfileRequest

Specifies a new sensitivity score for an S3 bucket that Amazon Macie monitors and analyzes for an account. To update the score, automated sensitive data discovery must be enabled for the account.

PropertyTypeRequiredDescription
sensitivityScoreOverride

integer

Format: int32

False

The new sensitivity score for the bucket. Valid values are: 100, assign the maximum score and apply the Sensitive label to the bucket; and, null (empty), assign a score that Amazon Macie calculates automatically after you submit the request.

ValidationException

Provides information about an error that occurred due to a syntax error in a request.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

See also

For more information about using this API in one of the language-specific AWS SDKs and references, see the following:

GetResourceProfile

UpdateResourceProfile