Classification Scope - Amazon Macie

Classification Scope

The Classification Scope resource provides access to the classification scope settings for your Amazon Macie account. The classification scope specifies Amazon Simple Storage Service (Amazon S3) buckets that you don't want Macie to analyze when it performs automated sensitive data discovery. It defines an S3 bucket exclusion list for automated sensitive data discovery. For more information, see Performing automated sensitive data discovery in the Amazon Macie User Guide.

The first time you or your Macie administrator enables automated sensitive data discovery for your account, Macie automatically creates the classification scope for your account. If you have a standalone Macie account, Macie then uses the scope's settings to determine which S3 buckets to exclude from analyses. If your account is part of an organization that centrally manages multiple Macie accounts, Macie uses the scope settings for your Macie administrator's account to determine which buckets to exclude. Contact your Macie administrator for information about the settings for your organization.

By default, Macie analyzes data in all the S3 general purpose buckets for an account. If you're the Macie administrator for an organization, this includes buckets that your member accounts own. If you're a Macie administrator or you have a standalone Macie account, you can adjust the scope of the analyses by adding buckets to and removing buckets from the list of buckets to exclude. For example, you might exclude buckets that typically store AWS logging data, such as a bucket that stores AWS CloudTrail event logs. To exclude all buckets for a particular account in an organization, you can disable automated sensitive data discovery for the account. To do this, use the Accounts resource for automated sensitive data discovery.

If you're a Macie administrator or you have a standalone Macie account, you can use the Classification Scope resource to retrieve or update the classification scope settings for your organization or account. When you use this resource, you have to specify the unique identifier for the classification scope that specifies the settings. To obtain this identifier, use the Classification Scopes resource.

URI

/classification-scopes/id

HTTP methods

GET

Operation ID: GetClassificationScope

Retrieves the classification scope settings for an account.

Path parameters
NameTypeRequiredDescription
idStringTrue

The unique identifier for the Amazon Macie resource that the request applies to.

Responses
Status codeResponse modelDescription
200GetClassificationScopeResponse

The request succeeded.

400ValidationException

The request failed because the input doesn't satisfy the constraints specified by the service.

403AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

404ResourceNotFoundException

The request failed because the specified resource wasn't found.

429ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

PATCH

Operation ID: UpdateClassificationScope

Updates the classification scope settings for an account.

Path parameters
NameTypeRequiredDescription
idStringTrue

The unique identifier for the Amazon Macie resource that the request applies to.

Responses
Status codeResponse modelDescription
200Empty Schema

The request succeeded. The specified settings were updated and there isn't any content to include in the body of the response (No Content).

400ValidationException

The request failed because the input doesn't satisfy the constraints specified by the service.

403AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

404ResourceNotFoundException

The request failed because the specified resource wasn't found.

429ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

Schemas

Request bodies

{ "s3": { "excludes": { "bucketNames": [ "string" ], "operation": enum } } }

Response bodies

{ "id": "string", "name": "string", "s3": { "excludes": { "bucketNames": [ "string" ] } } }
{ }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }

Properties

AccessDeniedException

Provides information about an error that occurred due to insufficient access to a specified resource.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ClassificationScopeUpdateOperation

Specifies how to apply changes to the S3 bucket exclusion list defined by the classification scope for an Amazon Macie account. Valid values are:

  • ADD

  • REPLACE

  • REMOVE

Empty

The request succeeded and there isn't any content to include in the body of the response (No Content).

GetClassificationScopeResponse

Provides information about the classification scope settings for an Amazon Macie account. Macie uses these settings when it performs automated sensitive data discovery for the account.

PropertyTypeRequiredDescription
id

string

False

The unique identifier for the classification scope.

name

string

False

The name of the classification scope: automated-sensitive-data-discovery.

s3

S3ClassificationScope

False

The S3 buckets that are excluded from automated sensitive data discovery.

InternalServerException

Provides information about an error that occurred due to an unknown internal server error, exception, or failure.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ResourceNotFoundException

Provides information about an error that occurred because a specified resource wasn't found.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

S3ClassificationScope

Specifies the S3 buckets that are excluded from automated sensitive data discovery for an Amazon Macie account.

PropertyTypeRequiredDescription
excludes

S3ClassificationScopeExclusion

True

The S3 buckets that are excluded.

S3ClassificationScopeExclusion

Specifies the names of the S3 buckets that are excluded from automated sensitive data discovery.

PropertyTypeRequiredDescription
bucketNames

Array of type string

True

An array of strings, one for each S3 bucket that is excluded. Each string is the full name of an excluded bucket.

S3ClassificationScopeExclusionUpdate

Specifies S3 buckets to add or remove from the exclusion list defined by the classification scope for an Amazon Macie account.

PropertyTypeRequiredDescription
bucketNames

Array of type string

True

Depending on the value specified for the update operation (ClassificationScopeUpdateOperation), an array of strings that: lists the names of buckets to add or remove from the list, or specifies a new set of bucket names that overwrites all existing names in the list. Each string must be the full name of an existing S3 bucket. Values are case sensitive.

operation

ClassificationScopeUpdateOperation

True

Specifies how to apply the changes to the exclusion list. Valid values are:

  • ADD - Append the specified bucket names to the current list.

  • REMOVE - Remove the specified bucket names from the current list.

  • REPLACE - Overwrite the current list with the specified list of bucket names. If you specify this value, Amazon Macie removes all existing names from the list and adds all the specified names to the list.

S3ClassificationScopeUpdate

Specifies changes to the list of S3 buckets that are excluded from automated sensitive data discovery for an Amazon Macie account.

PropertyTypeRequiredDescription
excludes

S3ClassificationScopeExclusionUpdate

True

The names of the S3 buckets to add or remove from the list.

ThrottlingException

Provides information about an error that occurred because too many requests were sent during a certain amount of time.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

UpdateClassificationScopeRequest

Specifies new classification scope settings for an Amazon Macie account. Macie uses these settings when it performs automated sensitive data discovery for the account. To update the settings, automated sensitive data discovery must be enabled for the account.

PropertyTypeRequiredDescription
s3

S3ClassificationScopeUpdate

False

The S3 buckets to add or remove from the exclusion list defined by the classification scope.

ValidationException

Provides information about an error that occurred due to a syntax error in a request.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

See also

For more information about using this API in one of the language-specific AWS SDKs and references, see the following:

GetClassificationScope

UpdateClassificationScope