To enable automated sensitive data discovery programmatically, you have several options:
Additional options and details vary depending on the type of account that you
have.
If you're a Macie administrator, use the UpdateAutomatedDiscoveryConfiguration
operation or run the update-automated-discovery-configuration command to
enable automated sensitive data discovery for your account or organization. In your request, specify
ENABLED
for the status
parameter. For the
autoEnableOrganizationMembers
parameter, specify the accounts to enable it for.
If you're using the AWS CLI, specify the accounts by using the
auto-enable-organization-members
parameter. Valid values are:
-
ALL
(default) – Enable it for all the accounts in your
organization. This includes your administrator account, existing member accounts, and
accounts that subsequently join your organization.
-
NEW
– Enable it for your administrator account. Also enable it
automatically for accounts that subsequently join your organization. If you previously
enabled automated discovery for your organization and you specify this value, automated discovery will continue to be
enabled for existing member accounts that it's currently enabled for.
-
NONE
– Enable it for only your administrator account. Don't
enable it automatically for accounts that subsequently join your organization. If you
previously enabled automated discovery for your organization and you specify this value, automated discovery will
continue to be enabled for existing member accounts that it's currently enabled for.
If you want to selectively enable automated sensitive data discovery for only particular member accounts, specify
NEW
or NONE
. You can then use the
BatchUpdateAutomatedDiscoveryAccounts operation or run the
batch-update-automated-discovery-accounts command to enable automated discovery for the
accounts.
If you have a standalone Macie account, use the
UpdateAutomatedDiscoveryConfiguration operation or run the
update-automated-discovery-configuration command to enable automated sensitive data discovery for
your account. In your request, specify ENABLED
for the status
parameter. For the autoEnableOrganizationMembers
parameter, consider whether you
plan to become the Macie administrator for other accounts, and specify the appropriate value. If you
specify NONE
, automated discovery isn't enabled automatically for an account when you become
the Macie administrator for the account. If you specify ALL
or NEW
, automated discovery
is enabled automatically for the account. If you're using the AWS CLI, use the
auto-enable-organization-members
parameter to specify the appropriate value for
this setting.
The following examples show how to use the AWS CLI to enable automated sensitive data discovery for one or more
accounts in an organization. This first example enables automated discovery for all the accounts in an
organization for the first time. It enables automated discovery for the Macie administrator account, all existing
member accounts, and any accounts that subsequently join the organization.
$
aws macie2 update-automated-discovery-configuration --status ENABLED --auto-enable-organization-members ALL --region us-east-1
Where us-east-1
is the Region in which to enable
automated sensitive data discovery for the accounts, the US East (N. Virginia) Region. If the request succeeds, Macie enables automated discovery
for the accounts and returns an empty response.
The next example changes the member enablement setting for an organization to
NONE
. With this change, automated sensitive data discovery isn't enabled automatically for accounts that
subsequently join the organization. Instead, it's enabled only for the Macie administrator account, and
any existing member accounts that it's currently enabled for.
$
aws macie2 update-automated-discovery-configuration --status ENABLED --auto-enable-organization-members NONE --region us-east-1
Where us-east-1
is the Region in which to change
the setting, the US East (N. Virginia) Region. If the request succeeds, Macie updates the setting and
returns an empty response.
The following examples enable automated sensitive data discovery for two member accounts in an organization. The
Macie administrator has already enabled automated discovery for the organization. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.
$
aws macie2 batch-update-automated-discovery-accounts \
--region us-east-1
\
--accounts '[{"accountId":"123456789012
","status":"ENABLED"},{"accountId":"111122223333
","status":"ENABLED"}]'
This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.
C:\>
aws macie2 batch-update-automated-discovery-accounts ^
--region us-east-1
^
--accounts=[{\"accountId\":\"123456789012
\",\"status\":\"ENABLED\"},{\"accountId\":\"111122223333
\",\"status\":\"ENABLED\"}]
Where:
-
us-east-1
is the Region in which to enable
automated sensitive data discovery for the specified accounts, the US East (N. Virginia) Region.
-
123456789012
and
111122223333
are the account IDs for the accounts to
enable automated sensitive data discovery for.
If the request succeeds for all specified accounts, Macie returns an empty
errors
array. If the request fails for some accounts, the array specifies the
error that occurred for each affected account. For example:
"errors": [
{
"accountId": "123456789012",
"errorCode": "ACCOUNT_PAUSED"
}
]
In the preceding response, the request failed for the specified account
(123456789012
) because Macie is currently suspended for the account. To
address this error, the Macie administrator must first enable Macie for the account.
If the request fails for all accounts, you receive a message that describes the error
that occurred.