If you enable automated sensitive data discovery for your account or organization, you can adjust your automated discovery
settings to refine the analyses that Amazon Macie performs. The settings specify Amazon Simple Storage Service (Amazon S3)
buckets to exclude from analyses. They also specify the types and occurrences of sensitive data
to detect and report—the managed data identifiers, custom data identifiers, and allow
lists to use when analyzing S3 objects.
By default, Macie performs automated sensitive data discovery for all the S3 general purpose buckets for your
account. If you're the Macie administrator for an organization, this includes buckets that your member
accounts own. You can exclude specific buckets from the analyses. For example, you might exclude
buckets that typically store AWS logging data, such as AWS CloudTrail event logs. If you exclude a
bucket, you can include it again later.
In addition, Macie analyzes S3 objects by using only the set of managed data identifiers
that we recommend for automated sensitive data discovery. Macie doesn't use custom data identifiers or allow lists that
you defined. To customize the analyses, you can add or remove specific managed data identifiers,
custom data identifiers, and allow lists.
If you change a setting, Macie applies your change when the next evaluation and analysis
cycle starts, typically within 24 hours. In addition, your change applies only to the current
AWS Region. To make the same change in additional Regions, repeat the applicable steps in each
additional Region.
To configure settings for automated sensitive data discovery, you must be the Macie administrator for an organization or
have a standalone Macie account. If your account is part of an organization, only the
Macie administrator for your organization can configure and manage the settings for accounts in your
organization. If you have a member account, contact your Macie administrator to learn about the settings
for your account and organization.
If an account is part of an organization that centrally manages multiple Amazon Macie
accounts, the Macie administrator for the organization configures and manages automated sensitive data discovery for accounts in
the organization. This includes settings that define the scope and nature of the analyses that
Macie performs for the accounts. Members can't access these settings for their own
accounts.
If you're the Macie administrator for an organization, you can define the scope of the analyses in
several ways:
-
Automatically enable automated sensitive data discovery for accounts – When
you enable automated sensitive data discovery, you specify whether to enable it for all existing accounts and new
member accounts, only for new member accounts, or no member accounts. If you enable it for new
member accounts, it's enabled automatically for any account that subsequently joins your
organization, when the account joins your organization in Macie. If it's enabled for an
account, Macie includes S3 buckets that the account owns. If it's disabled for an account,
Macie excludes buckets that the account owns.
-
Selectively enable automated sensitive data discovery for accounts – With
this option, you enable or disable automated sensitive data discovery for individual accounts on a case-by-case basis.
If you enable it for an account, Macie includes S3 buckets that the account owns. If you don't
enable it or you disable it for an account, Macie excludes buckets that the account
owns.
-
Exclude specific S3 buckets from automated sensitive data discovery – If
you enable automated sensitive data discovery for an account, you can exclude particular S3 buckets that the account
owns. Macie then skips the buckets when it performs automated discovery. To exclude particular buckets, add
them to the exclusion list in the configuration settings for your administrator account. You
can exclude as many as 1,000 buckets for your organization.
By default, automated sensitive data discovery is enabled automatically for all new and existing accounts in an
organization. In addition, Macie includes all the S3 buckets that the accounts own. If you keep
the default settings, this means that Macie performs automated discovery for all the buckets for your
administrator account, which includes all the buckets that your member accounts own.
As a Macie administrator, you also define the nature of the analyses that Macie performs for your
organization. You do this by configuring additional settings for your administrator
account—the managed data identifiers, custom data identifiers, and allows lists that you
want Macie to use when it analyzes S3 objects. Macie uses the settings for your administrator
account when it analyzes S3 objects for other accounts in your organization.
By default, Amazon Macie performs automated sensitive data discovery for all the S3 general purpose buckets for your
account. If you're the Macie administrator for an organization, this includes buckets that your member
accounts own.
To refine the scope, you can exclude as many as 1,000 S3 buckets from analyses. If you
exclude a bucket, Macie stops selecting and analyzing objects in the bucket when it performs
automated sensitive data discovery. Existing sensitive data discovery statistics and details for the bucket persist. For example, the bucket's
current sensitivity score remains unchanged. After you exclude a bucket, you can include it again
later.
To exclude or include an S3 bucket in automated sensitive data discovery
You can exclude or subsequently include an S3 bucket by using the Amazon Macie console or the
Amazon Macie API.
- Console
-
Follow these steps to exclude or subsequently include an S3 bucket by using the
Amazon Macie console.
To exclude or include an S3 bucket
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to exclude or include specific S3 buckets in
analyses.
-
In the navigation pane, under Settings, choose
Automated sensitive data discovery.
The Automated sensitive data discovery page appears and displays
your current settings. On that page, the S3 buckets section lists S3
buckets that are currently excluded, or it indicates that all buckets are currently
included.
-
In the S3 buckets section, choose
Edit.
-
Do one of the following:
-
To exclude one or more S3 buckets, choose Add buckets to the exclude
list. Then, in the S3 buckets table, select the check
box for each bucket to exclude. The table lists all the general purpose buckets for your
account or organization in the current Region.
-
To include one or more S3 buckets that you previously excluded, choose
Remove buckets from the exclude list. Then, in the S3
buckets table, select the check box for each bucket to include. The table
lists all the buckets that are currently excluded from analyses.
To find specific buckets more easily, enter search criteria in the search box above
the table. You can also sort the table by choosing a column heading.
-
When you finish selecting buckets, choose Add or
Remove, depending on the option that you chose in the preceding
step.
You can also exclude or include individual S3 buckets on a case-by-case basis while you
review bucket details on the console. To do this, choose the bucket on the S3
buckets page. Then, in the details panel, change the Exclude from
automated discovery setting for the bucket.
- API
-
To exclude or subsequently include an S3 bucket programmatically, use the Amazon Macie API
to update the classification scope for your account. The classification scope specifies
buckets that you don't want Macie to analyze when it performs automated sensitive data discovery. It defines a bucket
exclusion list for automated discovery.
When you update the classification scope, you specify whether to add or remove
individual buckets from the exclusion list, or overwrite the current list with a new list.
Therefore, it's a good idea to start by retrieving and reviewing your current list. To
retrieve the list, use the GetClassificationScope
operation. If you're using the AWS Command Line Interface (AWS CLI), run the get-classification-scope command to retrieve the list.
To retrieve or update the classification scope, you have to specify its unique
identifier (id
). You can get this identifier by using the GetAutomatedDiscoveryConfiguration operation. This operation retrieves your current
configuration settings for automated sensitive data discovery, including the unique identifier for the classification
scope for your account in the current AWS Region. If you're using the AWS CLI, run the get-automated-discovery-configuration command to retrieve this information.
When you're ready to update the classification scope, use the UpdateClassificationScope operation or, if you're using the AWS CLI, run the update-classification-scope command. In your request, use the supported parameters
to exclude or include an S3 bucket in subsequent analyses:
-
To exclude one or more buckets, specify the name of each bucket for the
bucketNames
parameter. For the operation
parameter, specify
ADD
.
-
To include one or more buckets that you previously excluded, specify the name of each
bucket for the bucketNames
parameter. For the operation
parameter, specify REMOVE
.
-
To overwrite the current list with a new list of buckets to exclude, specify
REPLACE
for the operation
parameter. For the
bucketNames
parameter, specify the name of each bucket to exclude.
Each value for the bucketNames
parameter must be the full name of an
existing general purpose bucket in the current Region. Values are case sensitive. If your
request succeeds, Macie updates the classification scope and returns an empty
response.
The following examples show how to use the AWS CLI to update the classification scope for
an account. The first set of examples excludes two S3 buckets
(amzn-s3-demo-bucket1
and
amzn-s3-demo-bucket2
) from subsequent analyses. It adds the
buckets to the list of buckets to exclude.
This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws macie2 update-classification-scope \
--id 117aff7ed76b59a59c3224ebdexample \
--s3 '{"excludes":{"bucketNames":["amzn-s3-demo-bucket1
","amzn-s3-demo-bucket2
"],"operation": "ADD"}}'
This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.
C:\>
aws macie2 update-classification-scope ^
--id 117aff7ed76b59a59c3224ebdexample ^
--s3={\"excludes\":{\"bucketNames\":[\"amzn-s3-demo-bucket1
\",\"amzn-s3-demo-bucket2
\"],\"operation\":\"ADD\"}}
The next set of examples later includes the buckets
(amzn-s3-demo-bucket1
and
amzn-s3-demo-bucket2
) in subsequent analyses. It removes the
buckets from the list of buckets to exclude. For Linux, macOS, or Unix:
$
aws macie2 update-classification-scope \
--id 117aff7ed76b59a59c3224ebdexample \
--s3 '{"excludes":{"bucketNames":["amzn-s3-demo-bucket1
","amzn-s3-demo-bucket2
"],"operation": "REMOVE"}}'
For Microsoft Windows:
C:\>
aws macie2 update-classification-scope ^
--id 117aff7ed76b59a59c3224ebdexample ^
--s3={\"excludes\":{\"bucketNames\":[\"amzn-s3-demo-bucket1
\",\"amzn-s3-demo-bucket2
\"],\"operation\":\"REMOVE\"}}
The following examples overwrite and replace the current list with a new list of S3
buckets to exclude. The new list specifies three buckets to exclude:
amzn-s3-demo-bucket
,
amzn-s3-demo-bucket2
, and
amzn-s3-demo-bucket3
. For Linux, macOS, or Unix:
$
aws macie2 update-classification-scope \
--id 117aff7ed76b59a59c3224ebdexample \
--s3 '{"excludes":{"bucketNames":["amzn-s3-demo-bucket
","amzn-s3-demo-bucket2
","amzn-s3-demo-bucket3
"],"operation": "REPLACE"}}'
For Microsoft Windows:
C:\>
aws macie2 update-classification-scope ^
--id 117aff7ed76b59a59c3224ebdexample ^
--s3={\"excludes\":{\"bucketNames\":[\"amzn-s3-demo-bucket
\",\"amzn-s3-demo-bucket2
\",\"amzn-s3-demo-bucket3
\"],\"operation\":\"REPLACE\"}}
A managed data identifier is a set of built-in criteria
and techniques that are designed to detect a specific type of sensitive data—for example,
credit card numbers, AWS secret access keys, or passport numbers for a particular country or
region. By default, Amazon Macie analyzes S3 objects by using the set of managed data identifiers
that we recommend for automated sensitive data discovery. To review a list of these identifiers, see Default settings for automated sensitive data discovery.
You can tailor the analyses to focus on specific types of sensitive data:
-
Add managed data identifiers for the types of sensitive data that you want Macie to
detect and report, and
-
Remove managed data identifiers for the types of sensitive data that you don't want Macie
to detect and report.
For a complete list of all the managed data identifiers that Macie currently provides and
details for each one, see Using managed data
identifiers.
If you remove a managed data identifier, your change doesn't affect existing sensitive data discovery statistics
and details for S3 buckets. For example, if you remove the managed data identifier for AWS
secret access keys and Macie previously detected that data in a bucket, Macie continues to
report those detections. However, instead of removing the identifier, which affects subsequent
analyses of all buckets, consider excluding its detections from sensitivity scores for only
particular buckets. For more information, see Adjusting sensitivity scores for S3
buckets.
To add or remove managed data identifiers from automated sensitive data discovery
You can add or remove managed data identifiers by using the Amazon Macie console or the
Amazon Macie API.
- Console
-
Follow these steps to add or remove a managed data identifier by using the Amazon Macie
console.
To add or remove a managed data identifier
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to add or remove a managed data identifier from
analyses.
-
In the navigation pane, under Settings, choose
Automated sensitive data discovery.
The Automated sensitive data discovery page appears and displays
your current settings. On that page, the Managed data identifiers
section displays your current settings, organized into two tabs:
-
Added to default – This tab lists managed data
identifiers that you added. Macie uses these identifiers in addition to the ones that are
in the default set and you haven't removed.
-
Removed from default – This tab lists managed data
identifiers that you removed. Macie doesn't use these identifiers.
-
In the Managed data identifiers section, choose
Edit.
-
Do any of the following:
-
To add one or more managed data identifiers, choose the Added to
default tab. Then, in the table, select the check box for each managed data
identifier to add. If a check box is already selected, you already added that
identifier.
-
To remove one or more managed data identifiers, choose the Removed from
default tab. Then, in the table, select the check box for each managed data
identifier to remove. If a check box is already selected, you already removed that
identifier.
On each tab, the table displays a list of all the managed data identifiers that Macie
currently provides. In the table, the first column specifies each managed data identifier's
ID. The ID describes the type of sensitive data that an identifier is designed to
detect—for example, USA_PASSPORT_NUMBER for US passport
numbers. To find specific managed data identifiers more easily, enter search criteria in
the search box above the table. You can also sort the table by choosing a column
heading.
-
When you finish, choose Save.
- API
-
To add or remove a managed data identifier programmatically, use the Amazon Macie API to
update the sensitivity inspection template for your account. The template stores settings
that specify which managed data identifiers to use (include) in addition to the ones in the default set. They also specify managed
data identifiers to not use (exclude). The settings also
specify any custom data identifiers and allow lists that you want Macie to use.
When you update the template, you overwrite its current settings. Therefore, it's a good
idea to start by retrieving your current settings and determining which ones you want to
keep. To retrieve your current settings, use the GetSensitivityInspectionTemplate operation. If you're using the AWS Command Line Interface (AWS CLI),
run the get-sensitivity-inspection-template command to retrieve the settings.
To retrieve or update the template, you have to specify its unique identifier
(id
). You can get this identifier by using the GetAutomatedDiscoveryConfiguration operation. This operation retrieves your current
configuration settings for automated sensitive data discovery, including the unique identifier for the sensitivity
inspection template for your account in the current AWS Region. If you're using the AWS CLI,
run the get-automated-discovery-configuration command to retrieve this information.
When you're ready to update the template, use the UpdateSensitivityInspectionTemplate operation or, if you're using the AWS CLI, run
the update-sensitivity-inspection-template command. In your request, use the
appropriate parameters to add or remove one or more managed data identifiers from subsequent
analyses:
-
To start using a managed data identifier, specify its ID for the
managedDataIdentifierIds
parameter of the includes
parameter.
-
To stop using a managed data identifier, specify its ID for the
managedDataIdentifierIds
parameter of the excludes
parameter.
-
To restore the default settings, don't specify any IDs for the includes
and excludes
parameters. Macie then starts using only the managed data
identifiers that are in the default set.
In addition to the parameters for managed data identifiers, use the appropriate
includes
parameters to specify any custom data identifiers
(customDataIdentifierIds
) and allow lists (allowListIds
) that you
want Macie to use. Also specify the Region that your request applies to. If your request
succeeds, Macie updates the template and returns an empty response.
The following examples show how to use the AWS CLI to update the sensitivity inspection
template for an account. The examples add one managed data identifier and remove another from
subsequent analyses. They also maintain current settings that specify two custom data
identifiers to use.
This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws macie2 update-sensitivity-inspection-template \
--id fd7b6d71c8006fcd6391e6eedexample
\
--excludes '{"managedDataIdentifierIds":["UK_ELECTORAL_ROLL_NUMBER
"]}' \
--includes '{"managedDataIdentifierIds":["STRIPE_CREDENTIALS
"],"customDataIdentifierIds":["3293a69d-4a1e-4a07-8715-208ddexample
","6fad0fb5-3e82-4270-bede-469f2example
"]}'
This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.
C:\>
aws macie2 update-sensitivity-inspection-template ^
--id fd7b6d71c8006fcd6391e6eedexample
^
--excludes={\"managedDataIdentifierIds\":[\"UK_ELECTORAL_ROLL_NUMBER
\"]} ^
--includes={\"managedDataIdentifierIds\":[\"STRIPE_CREDENTIALS
\"],\"customDataIdentifierIds\":[\"3293a69d-4a1e-4a07-8715-208ddexample
\",\"6fad0fb5-3e82-4270-bede-469f2example
\"]}
Where:
-
fd7b6d71c8006fcd6391e6eedexample
is the unique identifier
for the sensitivity inspection template to update.
-
UK_ELECTORAL_ROLL_NUMBER
is the ID for the managed data
identifier to stop using (exclude).
-
STRIPE_CREDENTIALS
is the ID for the managed data
identifier to start using (include).
-
3293a69d-4a1e-4a07-8715-208ddexample
and
6fad0fb5-3e82-4270-bede-469f2example
are the unique identifiers
for the custom data identifiers to use.
A custom data identifier is a set of criteria that you define to
detect sensitive data. The criteria consist of a regular expression (regex) that defines a text pattern to match and, optionally, character sequences
and a proximity rule that refine the results. To learn more, see Building custom data
identifiers.
By default, Amazon Macie doesn't use custom data identifiers when it performs automated sensitive data discovery. If
you want Macie to use specific custom data identifiers, you can add them to subsequent analyses.
Macie then uses the custom data identifiers in addition to any managed data identifiers that you
configure Macie to use.
If you add a custom data identifier, you can later remove it. Your change doesn't affect
existing sensitive data discovery statistics and details for S3 buckets. That is to say, if you remove a custom data
identifier that previously produced detections for a bucket, Macie continues to report those
detections. However, instead of removing the identifier, which affects subsequent analyses of
all buckets, consider excluding its detections from sensitivity scores for only particular
buckets. For more information, see Adjusting sensitivity scores for S3
buckets.
To add or remove custom data identifiers from automated sensitive data discovery
You can add or remove custom data identifiers by using the Amazon Macie console or the
Amazon Macie API.
- Console
-
Follow these steps to add or remove a custom data identifier by using the Amazon Macie
console.
To add or remove a custom data identifier
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to add or remove a custom data identifier from
analyses.
-
In the navigation pane, under Settings, choose
Automated sensitive data discovery.
The Automated sensitive data discovery page appears and displays
your current settings. On that page, the Custom data identifiers
section lists custom data identifiers that you already added, or it indicates that you
haven't added any custom data identifiers.
-
In the Custom data identifiers section, choose
Edit.
-
Do any of the following:
-
To add one or more custom data identifiers, select the check box for each custom
data identifier to add. If a check box is already selected, you already added that
identifier.
-
To remove one or more custom data identifiers, clear the check box for each custom
data identifier to remove. If a check box is already cleared, Macie doesn't currently use
that identifier.
To review or test the settings for a custom data identifier before you add or remove
it, choose the link icon (
) next to the identifier's name. Macie opens
a page that displays the identifier's settings. To also test the identifier with sample
data, enter up to 1,000 characters of text in the Sample data box on
that page. Then choose Test. Macie evaluates the sample data and
reports the number of matches.
-
When you finish, choose Save.
- API
-
To add or remove a custom data identifier programmatically, use the Amazon Macie API to
update the sensitivity inspection template for your account. The template stores settings
that specify which custom data identifiers you want Macie to use when performing automated sensitive data discovery.
The settings also specify which managed data identifiers and allow lists to use.
When you update the template, you overwrite its current settings.
Therefore, it's a good idea to start by retrieving your current settings and determining
which ones you want to keep. To retrieve your current settings, use the GetSensitivityInspectionTemplate operation. If you're using the AWS Command Line Interface (AWS CLI),
run the get-sensitivity-inspection-template command to retrieve the settings.
To retrieve or update the template, you have to specify its unique identifier
(id
). You can get this identifier by using the GetAutomatedDiscoveryConfiguration operation. This operation retrieves your current
configuration settings for automated sensitive data discovery, including the unique identifier for the sensitivity
inspection template for your account in the current AWS Region. If you're using the AWS CLI,
run the get-automated-discovery-configuration command to retrieve this information.
When you're ready to update the template, use the UpdateSensitivityInspectionTemplate operation or, if you're using the AWS CLI, run
the update-sensitivity-inspection-template command. In your request, use the
customDataIdentifierIds
parameter to add or remove one or more custom data
identifiers from subsequent analyses:
-
To start using a custom data identifier, specify its unique identifier for the
parameter.
-
To stop using a custom data identifier, omit its unique identifier from the
parameter.
Use additional parameters to specify which managed data identifiers and allow lists you
want Macie to use. Also specify the Region that your request applies to. If your request
succeeds, Macie updates the template and returns an empty response.
The following examples show how to use the AWS CLI to update the sensitivity inspection
template for an account. The examples add two custom data identifiers to subsequent analyses.
They also maintain current settings that specify which managed data identifiers and allow
lists to use: use the default set of managed data identifiers and one allow list.
This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws macie2 update-sensitivity-inspection-template \
--id fd7b6d71c8006fcd6391e6eedexample
\
--includes '{"allowListIds":["nkr81bmtu2542yyexample
"],"customDataIdentifierIds":["3293a69d-4a1e-4a07-8715-208ddexample
","6fad0fb5-3e82-4270-bede-469f2example
"]}'
This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.
C:\>
aws macie2 update-sensitivity-inspection-template ^
--id fd7b6d71c8006fcd6391e6eedexample
^
--includes={\"allowListIds\":[\"nkr81bmtu2542yyexample
\"],\"customDataIdentifierIds\":[\"3293a69d-4a1e-4a07-8715-208ddexample
\",\"6fad0fb5-3e82-4270-bede-469f2example
\"]}
Where:
-
fd7b6d71c8006fcd6391e6eedexample
is the unique identifier
for the sensitivity inspection template to update.
-
nkr81bmtu2542yyexample
is the unique identifier for the
allow list to use.
-
3293a69d-4a1e-4a07-8715-208ddexample
and
6fad0fb5-3e82-4270-bede-469f2example
are the unique identifiers
for the custom data identifiers to use.
In Amazon Macie, an allow list defines specific text or a text pattern that you want Macie to
ignore when it inspects S3 objects for sensitive data. If text matches an entry or pattern in an
allow list, Macie doesn’t report the text. This is the case even if the text matches the
criteria of a managed or custom data identifier. To learn more, see Defining sensitive data exceptions with allow
lists.
By default, Macie doesn't use allow lists when it performs automated sensitive data discovery. If you want Macie to
use specific allow lists, you can add them to subsequent analyses. If you add an allow list, you
can later remove it.
To add or remove allow lists from automated sensitive data discovery
You can add or remove allow lists by using the Amazon Macie console or the Amazon Macie
API.
- Console
-
Follow these steps to add or remove an allow list by using the Amazon Macie console.
To add or remove an allow list
Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
-
By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to add or remove an allow list from analyses.
-
In the navigation pane, under Settings, choose Automated
sensitive data discovery.
The Automated sensitive data discovery page appears and displays
your current settings. On that page, the Allow lists section specifies
allow lists that you already added, or it indicates that you haven't added any allow
lists.
-
In the Allow lists section, choose Edit.
-
Do any of the following:
-
To add one or more allow lists, select the check box for each allow list to add. If a
check box is already selected, you already added that list.
-
To remove one or more allow lists, clear the check box for each allow list to remove.
If a check box is already cleared, Macie doesn't currently use that list.
To review the settings for an allow list before you add or remove it, choose the link
icon (
) next to the list's name. Macie opens a page that displays the
list's settings. If the list specifies a regular expression (regex), you can also use this page to test the regex with sample data. To do
this, enter up to 1,000 characters of text in the Sample data box, and
then choose Test. Macie evaluates the sample data and reports the number
of matches.
-
When you finish, choose Save.
- API
-
To add or remove an allow list programmatically, use the Amazon Macie API to update the
sensitivity inspection template for your account. The template stores settings that specify
which allow lists you want Macie to use when performing automated sensitive data discovery. The settings also specify
which managed data identifiers and custom data identifiers to use.
When you update the template, you overwrite its current settings. Therefore, it's a good
idea to start by retrieving your current settings and determining which ones you want to
keep. To retrieve your current settings, use the GetSensitivityInspectionTemplate operation. If you're using the AWS Command Line Interface (AWS CLI),
run the get-sensitivity-inspection-template command to retrieve the settings.
To retrieve or update the template, you have to specify its unique identifier
(id
). You can get this identifier by using the GetAutomatedDiscoveryConfiguration operation. This operation retrieves your current
configuration settings for automated sensitive data discovery, including the unique identifier for the sensitivity
inspection template for your account in the current AWS Region. If you're using the AWS CLI,
run the get-automated-discovery-configuration command to retrieve this information.
When you're ready to update the template, use the UpdateSensitivityInspectionTemplate operation or, if you're using the AWS CLI, run
the update-sensitivity-inspection-template command. In your request, use the
allowListIds
parameter to add or remove one or more allow lists from subsequent
analyses:
-
To start using an allow list, specify its unique identifier for the parameter.
-
To stop using an allow list, omit its unique identifier from the parameter.
Use additional parameters to specify which managed data identifiers and custom data
identifiers you want Macie to use. Also specify the Region that your request applies to. If
your request succeeds, Macie updates the template and returns an empty response.
The following examples show how to use the AWS CLI to update the sensitivity inspection
template for an account. The examples add an allow list to subsequent analyses. They also
maintain current settings that specify which managed data identifiers and custom data
identifiers to use: use the default set of managed data identifiers and two custom data
identifiers.
This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws macie2 update-sensitivity-inspection-template \
--id fd7b6d71c8006fcd6391e6eedexample
\
--includes '{"allowListIds":["nkr81bmtu2542yyexample
"],"customDataIdentifierIds":["3293a69d-4a1e-4a07-8715-208ddexample
","6fad0fb5-3e82-4270-bede-469f2example
"]}'
This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.
C:\>
aws macie2 update-sensitivity-inspection-template ^
--id fd7b6d71c8006fcd6391e6eedexample
^
--includes={\"allowListIds\":[\"nkr81bmtu2542yyexample
\"],\"customDataIdentifierIds\":[\"3293a69d-4a1e-4a07-8715-208ddexample
\",\"6fad0fb5-3e82-4270-bede-469f2example
\"]}
Where:
-
fd7b6d71c8006fcd6391e6eedexample
is the unique identifier
for the sensitivity inspection template to update.
-
nkr81bmtu2542yyexample
is the unique identifier for the
allow list to use.
-
3293a69d-4a1e-4a07-8715-208ddexample
and
6fad0fb5-3e82-4270-bede-469f2example
are the unique identifiers
for the custom data identifiers to use.