Automated Sensitive Data Discovery - Accounts - Amazon Macie

Automated Sensitive Data Discovery - Accounts

The Accounts resource for automated sensitive data discovery provides access to the status of automated sensitive data discovery for accounts that are centrally managed as an organization in Amazon Macie. If you're the Macie administrator for an organization, you can use this resource to check or change the status of automated sensitive data discovery for individual accounts in your organization. If you have a member account, you can use this resource to check the status of automated sensitive data discovery for your account. Contact your Macie administrator if you want to change the status.

If you're a Macie administrator, start by enabling automated sensitive data discovery for your organization. To enable it for your organization, use the Configuration resource for automated sensitive data discovery. By using that resource, you can also enable it automatically for all existing accounts and new member accounts, only new member accounts, or no accounts. After you enable it for your organization, you can manage the status of automated sensitive data discovery for individual accounts in your organization.

If automated sensitive data discovery is enabled for an account in an organization, Macie analyzes the account's Amazon Simple Storage Service (Amazon S3) data by using the configuration settings specified by the Macie administrator account for the organization:

  • Classification scope - This specifies S3 buckets to exclude from the analyses. To exclude particular buckets that an account owns, add the buckets to the classification scope for the administrator account.

  • Sensitivity inspection template - This specifies which allow lists, custom data identifiers, and managed data identifiers to use when analyzing data. To customize the analyses, update the sensitivity inspection template for the administrator account.

As the analyses progress, Macie produces records of the sensitive data that it finds and the analysis that it performs: sensitive data findings, which report sensitive data that Macie finds in individual S3 objects, and sensitive data discovery results, which log details about the analysis of individual S3 objects. Macie also updates statistics, inventory data, and other information that it provides about Amazon S3 data. For more information, see Performing automated sensitive data discovery in the Amazon Macie User Guide.

As a Macie administrator, you can disable automated sensitive data discovery for an account at any time. If you disable it, Macie stops analyzing the account's Amazon S3 data. Instead of disabling it for an account completely, consider excluding only particular S3 buckets that the account owns. If you exclude a bucket, existing sensitive data discovery statistics and details for the bucket persist. For example, the bucket's current sensitivity score remains unchanged. However, Macie skips the bucket when it subsequently performs automated sensitive data discovery for the account. If you exclude a bucket, you can include it again later. To exclude or include a bucket, update the classification scope for your administrator account.

If you're the Macie administrator for an organization, you can use the Accounts resource to check or change the status of automated sensitive data discovery for individual accounts in your organization. If you have a member account, you can use this resource to check the status of automated sensitive data discovery for your account.

URI

/automated-discovery/accounts

HTTP methods

GET

Operation ID: ListAutomatedDiscoveryAccounts

Retrieves the status of automated sensitive data discovery for one or more accounts.

Query parameters
NameTypeRequiredDescription
nextTokenStringFalse

The nextToken string that specifies which page of results to return in a paginated response.

accountIdsStringFalse

The AWS account ID for each account, for as many as 50 accounts. To retrieve the status for multiple accounts, append the accountIds parameter and argument for each account, separated by an ampersand (&). To retrieve the status for all the accounts in an organization, omit this parameter.

maxResultsStringFalse

The maximum number of items to include in each page of a paginated response.

Responses
Status codeResponse modelDescription
200ListAutomatedDiscoveryAccountsResponse

The request succeeded.

400ValidationException

The request failed because the input doesn't satisfy the constraints specified by the service.

403AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

404ResourceNotFoundException

The request failed because the specified resource wasn't found.

429ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

PATCH

Operation ID: BatchUpdateAutomatedDiscoveryAccounts

Changes the status of automated sensitive data discovery for one or more accounts.

Responses
Status codeResponse modelDescription
200BatchUpdateAutomatedDiscoveryAccountsResponse

The request succeeded. However, the update might have failed for one or more accounts.

400ValidationException

The request failed because the input doesn't satisfy the constraints specified by the service.

403AccessDeniedException

The request was denied because you don't have sufficient access to the specified resource.

409ConflictException

The request failed because it conflicts with the current state of the specified resource.

429ThrottlingException

The request failed because you sent too many requests during a certain amount of time.

500InternalServerException

The request failed due to an unknown internal server error, exception, or failure.

Schemas

Request bodies

{ "accounts": [ { "accountId": "string", "status": enum } ] }

Response bodies

{ "items": [ { "accountId": "string", "status": enum } ], "nextToken": "string" }
{ "errors": [ { "accountId": "string", "errorCode": enum } ] }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }
{ "message": "string" }

Properties

AccessDeniedException

Provides information about an error that occurred due to insufficient access to a specified resource.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

AutomatedDiscoveryAccount

Provides information about the status of automated sensitive data discovery for an Amazon Macie account.

PropertyTypeRequiredDescription
accountId

string

False

The AWS account ID for the account.

status

AutomatedDiscoveryAccountStatus

False

The current status of automated sensitive data discovery for the account. Possible values are: ENABLED, perform automated sensitive data discovery activities for the account; and, DISABLED, don't perform automated sensitive data discovery activities for the account.

AutomatedDiscoveryAccountStatus

The status of automated sensitive data discovery for an Amazon Macie account. Valid values are:

  • ENABLED

  • DISABLED

AutomatedDiscoveryAccountUpdate

Changes the status of automated sensitive data discovery for an Amazon Macie account.

PropertyTypeRequiredDescription
accountId

string

False

The AWS account ID for the account.

status

AutomatedDiscoveryAccountStatus

False

The new status of automated sensitive data discovery for the account. Valid values are: ENABLED, perform automated sensitive data discovery activities for the account; and, DISABLED, don't perform automated sensitive data discovery activities for the account.

AutomatedDiscoveryAccountUpdateError

Provides information about a request that failed to change the status of automated sensitive data discovery for an Amazon Macie account.

PropertyTypeRequiredDescription
accountId

string

False

The AWS account ID for the account that the request applied to.

errorCode

AutomatedDiscoveryAccountUpdateErrorCode

False

The error code for the error that caused the request to fail for the account (accountId). Possible values are: ACCOUNT_NOT_FOUND, the account doesn’t exist or you're not the Amazon Macie administrator for the account; and, ACCOUNT_PAUSED, Macie isn’t enabled for the account in the current AWS Region.

AutomatedDiscoveryAccountUpdateErrorCode

The error code that indicates why a request failed to change the status of automated sensitive data discovery for an Amazon Macie account. Possible values are:

  • ACCOUNT_PAUSED

  • ACCOUNT_NOT_FOUND

BatchUpdateAutomatedDiscoveryAccountsRequest

Changes the status of automated sensitive data discovery for one or more Amazon Macie accounts.

PropertyTypeRequiredDescription
accounts

Array of type AutomatedDiscoveryAccountUpdate

False

An array of objects, one for each account to change the status of automated sensitive data discovery for. Each object specifies the AWS account ID for an account and a new status for that account.

BatchUpdateAutomatedDiscoveryAccountsResponse

Provides the results of a request to change the status of automated sensitive data discovery for one or more Amazon Macie accounts.

PropertyTypeRequiredDescription
errors

Array of type AutomatedDiscoveryAccountUpdateError

False

An array of objects, one for each account whose status wasn’t changed. Each object identifies the account and explains why the status of automated sensitive data discovery wasn’t changed for the account. This value is null if the request succeeded for all specified accounts.

ConflictException

Provides information about an error that occurred due to a versioning conflict for a specified resource.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

InternalServerException

Provides information about an error that occurred due to an unknown internal server error, exception, or failure.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ListAutomatedDiscoveryAccountsResponse

Provides information about the status of automated sensitive data discovery for one or more Amazon Macie accounts.

PropertyTypeRequiredDescription
items

Array of type AutomatedDiscoveryAccount

False

An array of objects, one for each account specified in the request. Each object specifies the AWS account ID for an account and the current status of automated sensitive data discovery for that account.

nextToken

string

False

The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

ResourceNotFoundException

Provides information about an error that occurred because a specified resource wasn't found.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ThrottlingException

Provides information about an error that occurred because too many requests were sent during a certain amount of time.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

ValidationException

Provides information about an error that occurred due to a syntax error in a request.

PropertyTypeRequiredDescription
message

string

False

The explanation of the error that occurred.

See also

For more information about using this API in one of the language-specific AWS SDKs and references, see the following:

ListAutomatedDiscoveryAccounts

BatchUpdateAutomatedDiscoveryAccounts