Classification Results - Export Configuration
The Export Configuration resource for classification results provides access to settings for storing data classification results in an Amazon Simple Storage Service (Amazon S3) bucket. A data classification result, also referred to as a sensitive data discovery result, is a record that logs details about the analysis that Amazon Macie performed on an Amazon S3 object to determine whether the object contains sensitive data.
When you run a classification job or Macie performs automated sensitive data discovery, Macie automatically creates a data classification result for each S3 object that's included in the scope of the analysis. This includes objects that Macie doesn't find sensitive data in, and therefore don't produce findings, and objects that Macie can't analyze due to issues such as permissions settings. Data classification results provide you with analysis records that can be helpful for data privacy and protection audits or investigations. You can configure Macie to store these records in an S3 general purpose bucket and encrypt them with an AWS Key Management Service (AWS KMS) key. For more information, see Storing and retaining sensitive data discovery results in the Amazon Macie User Guide.
If you use Macie in multiple AWS Regions, configure these settings for each Region in which you use Macie. You can optionally store data classification results for multiple Regions in the same S3 bucket. However, note the following requirements:
-
To store the results for a Region that AWS enables by default for AWS accounts, such as the US East (N. Virginia) Region, you have to specify a bucket in a Region that's enabled by default. The results can't be stored in a bucket in an opt-in Region (Region that's disabled by default).
-
To store the results for an opt-in Region, such as the Middle East (Bahrain) Region, you have to specify a bucket in that same Region or a Region that's enabled by default. The results can't be stored in a bucket in a different opt-in Region.
To determine whether a Region is enabled by default, see Enable or disable AWS Regions in your account in the AWS Account Management Reference Guide. In addition to the preceding requirements, also consider whether you want to retrieve samples of sensitive data that Macie reports in individual findings. To retrieve sensitive data samples from an affected S3 object, all of the following resources and data must be stored in the same Region: the affected object, the applicable finding, and the corresponding sensitive data discovery result.
You can use the Export Configuration resource to specify or retrieve information about your configuration settings for storing data classification results in an S3 bucket.
URI
/classification-export-configuration
HTTP methods
GET
Operation ID: GetClassificationExportConfiguration
Retrieves the configuration settings for storing data classification results.
Status code | Response model | Description |
---|---|---|
200 | GetClassificationExportConfigurationResponse | The request succeeded. |
400 | ValidationException | The request failed because the input doesn't satisfy the constraints specified by the service. |
402 | ServiceQuotaExceededException | The request failed because fulfilling the request would exceed one or more service quotas for your account. |
403 | AccessDeniedException | The request was denied because you don't have sufficient access to the specified resource. |
404 | ResourceNotFoundException | The request failed because the specified resource wasn't found. |
409 | ConflictException | The request failed because it conflicts with the current state of the specified resource. |
429 | ThrottlingException | The request failed because you sent too many requests during a certain amount of time. |
500 | InternalServerException | The request failed due to an unknown internal server error, exception, or failure. |
PUT
Operation ID: PutClassificationExportConfiguration
Adds or updates the configuration settings for storing data classification results.
Status code | Response model | Description |
---|---|---|
200 | PutClassificationExportConfigurationResponse | The request succeeded. |
400 | ValidationException | The request failed because the input doesn't satisfy the constraints specified by the service. |
402 | ServiceQuotaExceededException | The request failed because fulfilling the request would exceed one or more service quotas for your account. |
403 | AccessDeniedException | The request was denied because you don't have sufficient access to the specified resource. |
404 | ResourceNotFoundException | The request failed because the specified resource wasn't found. |
409 | ConflictException | The request failed because it conflicts with the current state of the specified resource. |
429 | ThrottlingException | The request failed because you sent too many requests during a certain amount of time. |
500 | InternalServerException | The request failed due to an unknown internal server error, exception, or failure. |
Schemas
Request bodies
{ "configuration": { "s3Destination": { "bucketName": "string", "keyPrefix": "string", "kmsKeyArn": "string" } } }
Response bodies
{ "configuration": { "s3Destination": { "bucketName": "string", "keyPrefix": "string", "kmsKeyArn": "string" } } }
{ "configuration": { "s3Destination": { "bucketName": "string", "keyPrefix": "string", "kmsKeyArn": "string" } } }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
Properties
AccessDeniedException
Provides information about an error that occurred due to insufficient access to a specified resource.
Property | Type | Required | Description |
---|---|---|---|
message | string | False | The explanation of the error that occurred. |
ClassificationExportConfiguration
Specifies where to store data classification results, and the encryption settings to use when storing results in that location. The location must be an S3 general purpose bucket.
Property | Type | Required | Description |
---|---|---|---|
s3Destination | False | The S3 bucket to store data classification results in, and the encryption settings to use when storing results in that bucket. |
ConflictException
Provides information about an error that occurred due to a versioning conflict for a specified resource.
Property | Type | Required | Description |
---|---|---|---|
message | string | False | The explanation of the error that occurred. |
GetClassificationExportConfigurationResponse
Provides information about the current configuration settings for storing data classification results.
Property | Type | Required | Description |
---|---|---|---|
configuration | False | The location where data classification results are stored, and the encryption settings that are used when storing results in that location. |
InternalServerException
Provides information about an error that occurred due to an unknown internal server error, exception, or failure.
Property | Type | Required | Description |
---|---|---|---|
message | string | False | The explanation of the error that occurred. |
PutClassificationExportConfigurationRequest
Specifies where to store data classification results, and the encryption settings to use when storing results in that location.
Property | Type | Required | Description |
---|---|---|---|
configuration | True | The location to store data classification results in, and the encryption settings to use when storing results in that location. |
PutClassificationExportConfigurationResponse
Provides information about updated settings for storing data classification results.
Property | Type | Required | Description |
---|---|---|---|
configuration | False | The location where the data classification results are stored, and the encryption settings that are used when storing results in that location. |
ResourceNotFoundException
Provides information about an error that occurred because a specified resource wasn't found.
Property | Type | Required | Description |
---|---|---|---|
message | string | False | The explanation of the error that occurred. |
S3Destination
Specifies an S3 bucket to store data classification results in, and the encryption settings to use when storing results in that bucket.
Property | Type | Required | Description |
---|---|---|---|
bucketName | string | True | The name of the bucket. This must be the name of an existing general purpose bucket. |
keyPrefix | string | False | The path prefix to use in the path to the location in the bucket. This prefix specifies where to store classification results in the bucket. |
kmsKeyArn | string | True | The Amazon Resource Name (ARN) of the customer managed AWS KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric encryption AWS KMS key that's enabled in the same AWS Region as the bucket. |
ServiceQuotaExceededException
Provides information about an error that occurred due to one or more service quotas for an account.
Property | Type | Required | Description |
---|---|---|---|
message | string | False | The explanation of the error that occurred. |
ThrottlingException
Provides information about an error that occurred because too many requests were sent during a certain amount of time.
Property | Type | Required | Description |
---|---|---|---|
message | string | False | The explanation of the error that occurred. |
ValidationException
Provides information about an error that occurred due to a syntax error in a request.
Property | Type | Required | Description |
---|---|---|---|
message | string | False | The explanation of the error that occurred. |
See also
For more information about using this API in one of the language-specific AWS SDKs and references, see the following: