Provides information about the permissions settings of the bucket-level access control list (ACL) for an S3 bucket.

Specifies the details of an account to associate with an Amazon Macie administrator account.

Provides information about the account-level permissions settings that apply to an S3 bucket.

Provides information about the delegated Amazon Macie administrator account for an organization in Organizations.

Specifies the criteria for an allow list. The criteria must specify a regular expression (regex) or an S3 object (s3WordsList). It can't specify both.

Provides information about the current status of an allow list, which indicates whether Amazon Macie can access and use the list's criteria.

Provides a subset of information about an allow list.

Provides information about an API operation that an entity invoked for an affected resource.

Provides information about an identity that performed an action on an affected resource by using temporary security credentials. The credentials were obtained using the AssumeRole operation of the Security Token Service (STS) API.

Provides information about the status of automated sensitive data discovery for an Amazon Macie account.

Changes the status of automated sensitive data discovery for an Amazon Macie account.

Provides information about a request that failed to change the status of automated sensitive data discovery for an Amazon Macie account.

Provides information about an Amazon Web Services account and entity that performed an action on an affected resource. The action was performed using the credentials for an Amazon Web Services account other than your own account.

Provides information about an Amazon Web Service that performed an action on an affected resource.

Provides information about a custom data identifier.

Provides information about the block public access settings for an S3 bucket. These settings can apply to a bucket at the account or bucket level. For detailed information about each setting, see Blocking public access to your Amazon S3 storage in the Amazon Simple Storage Service User Guide.

Provides information about the number of S3 buckets that are publicly accessible due to a combination of permissions settings for each bucket.

Provides information about the number of S3 buckets whose settings do or don't specify default server-side encryption behavior for objects that are added to the buckets. For detailed information about these settings, see Setting default server-side encryption behavior for Amazon S3 buckets in the Amazon Simple Storage Service User Guide.

Provides information about the number of S3 buckets that are or aren't shared with other Amazon Web Services accounts, Amazon CloudFront origin access identities (OAIs), or CloudFront origin access controls (OACs). In this data, an Amazon Macie organization is defined as a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.

Provides information about the number of S3 buckets whose bucket policies do or don't require server-side encryption of objects when objects are added to the buckets.

Specifies the operator to use in a property-based condition that filters the results of a query for information about S3 buckets.

Provides information about the bucket-level permissions settings for an S3 bucket.

Provides statistical data and other information about an S3 bucket that Amazon Macie monitors and analyzes for your account. By default, object count and storage size values include data for object parts that are the result of incomplete multipart uploads. For more information, see How Macie monitors Amazon S3 data security in the Amazon Macie User Guide.

Provides information about the account-level and bucket-level permissions settings for an S3 bucket.

Provides information about the permissions settings of the bucket policy for an S3 bucket.

Provides information about the permissions settings that determine whether an S3 bucket is publicly accessible.

Provides information about the default server-side encryption settings for an S3 bucket. For detailed information about these settings, see Setting default server-side encryption behavior for Amazon S3 buckets in the Amazon Simple Storage Service User Guide.

Specifies criteria for sorting the results of a query for information about S3 buckets.

Provides aggregated statistical data for sensitive data discovery metrics that apply to S3 buckets, grouped by bucket sensitivity score (sensitivityScore). If automated sensitive data discovery is currently disabled for your account, the value for each metric is 0.

Specifies the location of an occurrence of sensitive data in a Microsoft Excel workbook, CSV file, or TSV file.

Provides information about a sensitive data finding and the details of the finding.

Specifies where to store data classification results, and the encryption settings to use when storing results in that location. The location must be an S3 general purpose bucket.

Provides the details of a sensitive data finding, including the types, number of occurrences, and locations of the sensitive data that was detected.

Provides information about the status of a sensitive data finding.

Provides information about the classification scope for an Amazon Macie account. Macie uses the scope's settings when it performs automated sensitive data discovery for the account.

Specifies one or more property- and tag-based conditions that define criteria for including or excluding S3 buckets from a classification job.

Specifies a property- or tag-based condition that defines criteria for including or excluding S3 buckets from a classification job.

Specifies the operator to use in a property-based condition that filters the results of a query for findings. For detailed information and examples of each operator, see Fundamentals of filtering findings in the Amazon Macie User Guide.

Provides information about custom data identifiers that produced a sensitive data finding, and the number of occurrences of the data that they detected for the finding.

Provides information about a custom data identifier.

Provides information about a custom data identifier that produced a sensitive data finding, and the sensitive data that it detected for the finding.

Specifies that a classification job runs once a day, every day. This is an empty object.

Provides information about a type of sensitive data that was detected by a managed data identifier and produced a sensitive data finding.

Specifies 1-10 occurrences of a specific type of sensitive data reported by a finding.

Provides information about a type of sensitive data that Amazon Macie found in an S3 bucket while performing automated sensitive data discovery for an account. The information also specifies the custom or managed data identifier that detected the data. This information is available only if automated sensitive data discovery has been enabled for the account.

Provides information about the domain name of the device that an entity used to perform an action on an affected resource.

Provides information about an identity that performed an action on an affected resource by using temporary security credentials. The credentials were obtained using the GetFederationToken operation of the Security Token Service (STS) API.

Provides the details of a finding.

Provides information about an action that occurred for a resource and produced a policy finding.

Provides information about an entity that performed an action that produced a policy finding for a resource.

Specifies, as a map, one or more property-based conditions that filter the results of a query for findings.

Provides information about a findings filter.

Specifies criteria for sorting the results of a query that retrieves aggregated statistical data about findings.

Provides a group of results for a query that retrieved aggregated statistical data about findings.

Provides information about an Identity and Access Management (IAM) user who performed an action on an affected resource.

Provides information about an Amazon Macie membership invitation.

Provides information about the IP address of the device that an entity used to perform an action on an affected resource.

Provides information about the city that an IP address originated from.

Provides information about the country that an IP address originated from.

Provides geographic coordinates that indicate where a specified IP address originated from.

Provides information about the registered owner of an IP address.

Specifies whether any one-time or recurring classification jobs are configured to analyze objects in an S3 bucket, and, if so, the details of the job that ran most recently.

Specifies the recurrence pattern for running a classification job.

Specifies a property- or tag-based condition that defines criteria for including or excluding S3 objects from a classification job. A JobScopeTerm object can contain only one simpleScopeTerm object or one tagScopeTerm object.

Specifies one or more property- and tag-based conditions that define criteria for including or excluding S3 objects from a classification job.

Provides information about a classification job, including the current status of the job.

Provides information about the tags that are associated with an S3 bucket or object. Each tag consists of a required tag key and an associated tag value.

Specifies whether any account- or bucket-level access errors occurred when a classification job ran. For information about using logging data to investigate these errors, see Monitoring sensitive data discovery jobs in the Amazon Macie User Guide.

Specifies criteria for filtering the results of a request for information about classification jobs.

Specifies a condition that filters the results of a request for information about classification jobs. Each condition consists of a property, an operator, and one or more values.

Specifies criteria for sorting the results of a request for information about classification jobs.

Provides information about a managed data identifier. For additional information, see Using managed data identifiers in the Amazon Macie User Guide.

Provides statistical data and other information about an S3 bucket that Amazon Macie monitors and analyzes for your account. By default, object count and storage size values include data for object parts that are the result of incomplete multipart uploads. For more information, see How Macie monitors Amazon S3 data security in the Amazon Macie User Guide.

Provides statistical data and other information about an Amazon Web Services resource that Amazon Macie monitors and analyzes for your account.

Provides information about an account that's associated with an Amazon Macie administrator account.

Specifies a monthly recurrence pattern for running a classification job.

Provides information about the number of objects that are in an S3 bucket and use certain types of server-side encryption, use client-side encryption, or aren't encrypted.

Provides information about the total storage size (in bytes) or number of objects that Amazon Macie can't analyze in one or more S3 buckets. In a BucketMetadata or MatchingBucket object, this data is for a specific bucket. In a GetBucketStatisticsResponse object, this data is aggregated for all the buckets in the query results. If versioning is enabled for a bucket, storage size values are based on the size of the latest version of each applicable object in the bucket.

Specifies the location of 1-15 occurrences of sensitive data that was detected by a managed data identifier or a custom data identifier and produced a sensitive data finding.

Specifies the location of an occurrence of sensitive data in an Adobe Portable Document Format file.

Provides the details of a policy finding.

Specifies the location of an occurrence of sensitive data in an email message or a non-binary text file such as an HTML, TXT, or XML file.

Specifies the location of an occurrence of sensitive data in an Apache Avro object container, Apache Parquet file, JSON file, or JSON Lines file.

Provides information about settings that define whether one or more objects in an S3 bucket are replicated to S3 buckets for other Amazon Web Services accounts and, if so, which accounts.

Provides information about an S3 object that Amazon Macie selected for analysis while performing automated sensitive data discovery for an account, and the status and results of the analysis. This information is available only if automated sensitive data discovery has been enabled for the account.

Provides information about the resources that a finding applies to.

Provides statistical data for sensitive data discovery metrics that apply to an S3 bucket that Amazon Macie monitors and analyzes for an account, if automated sensitive data discovery has been enabled for the account. The data captures the results of automated sensitive data discovery activities that Macie has performed for the bucket.

Provides information about the access method and settings that are used to retrieve occurrences of sensitive data reported by findings.

Specifies the status of the Amazon Macie configuration for retrieving occurrences of sensitive data reported by findings, and the Key Management Service (KMS) key to use to encrypt sensitive data that's retrieved. When you enable the configuration for the first time, your request must specify an KMS key. Otherwise, an error occurs.

Provides information about the S3 bucket that a finding applies to.

Specifies property- and tag-based conditions that define criteria for including or excluding S3 buckets from a classification job. Exclude conditions take precedence over include conditions.

Specifies an Amazon Web Services account that owns S3 buckets for a classification job to analyze, and one or more specific buckets to analyze for that account.

Provides information about the Amazon Web Services account that owns an S3 bucket.

Specifies the S3 buckets that are excluded from automated sensitive data discovery for an Amazon Macie account.

Specifies the names of the S3 buckets that are excluded from automated sensitive data discovery.

Specifies S3 buckets to add or remove from the exclusion list defined by the classification scope for an Amazon Macie account.

Specifies changes to the list of S3 buckets that are excluded from automated sensitive data discovery for an Amazon Macie account.

Specifies an S3 bucket to store data classification results in, and the encryption settings to use when storing results in that bucket.

Specifies which S3 buckets contain the objects that a classification job analyzes, and the scope of that analysis. The bucket specification can be static (bucketDefinitions) or dynamic (bucketCriteria). If it's static, the job analyzes objects in the same predefined set of buckets each time the job runs. If it's dynamic, the job analyzes objects in any buckets that match the specified criteria each time the job starts to run.

Provides information about the S3 object that a finding applies to.

Provides information about an S3 object that lists specific text to ignore.

Specifies one or more property- and tag-based conditions that define criteria for including or excluding S3 objects from a classification job. Exclude conditions take precedence over include conditions.

Specifies property- and tag-based conditions that define filter criteria for including or excluding S3 buckets from the query results. Exclude conditions take precedence over include conditions.

Specifies a property- or tag-based filter condition for including or excluding Amazon Web Services resources from the query results.

Specifies property- and tag-based conditions that define filter criteria for including or excluding Amazon Web Services resources from the query results.

Specifies a property-based filter condition that determines which Amazon Web Services resources are included or excluded from the query results.

Specifies criteria for sorting the results of a query for information about Amazon Web Services resources that Amazon Macie monitors and analyzes.

Specifies a tag-based filter condition that determines which Amazon Web Services resources are included or excluded from the query results.

Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based filter condition for a query. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based filter conditions.

Specifies configuration settings that determine which findings are published to Security Hub automatically. For information about how Macie publishes findings to Security Hub, see Amazon Macie integration with Security Hub in the Amazon Macie User Guide.

Provides information about the category, types, and occurrences of sensitive data that produced a sensitive data finding.

Provides aggregated statistical data for sensitive data discovery metrics that apply to S3 buckets. Each field contains aggregated data for all the buckets that have a sensitivity score (sensitivityScore) of a specified value or within a specified range (BucketStatisticsBySensitivity). If automated sensitive data discovery is currently disabled for your account, the value for each field is 0.

Specifies managed data identifiers to exclude (not use) when performing automated sensitive data discovery. For information about the managed data identifiers that Amazon Macie currently provides, see Using managed data identifiers in the Amazon Macie User Guide.

Specifies the allow lists, custom data identifiers, and managed data identifiers to include (use) when performing automated sensitive data discovery. The configuration must specify at least one custom data identifier or managed data identifier. For information about the managed data identifiers that Amazon Macie currently provides, see Using managed data identifiers in the Amazon Macie User Guide.

Provides information about the sensitivity inspection template for an Amazon Macie account.

Provides information about the default server-side encryption settings for an S3 bucket or the encryption settings for an S3 object.

Specifies a current quota for an Amazon Macie account.

Provides information about a session that was created for an entity that performed an action by using temporary security credentials.

Provides information about the context in which temporary security credentials were issued to an entity.

Provides information about the source and type of temporary security credentials that were issued to an entity.

Provides the numerical and qualitative representations of a finding's severity.

Specifies a severity level for findings that a custom data identifier produces. A severity level determines which severity is assigned to the findings, based on the number of occurrences of text that match the custom data identifier's detection criteria.

Specifies a property-based condition that determines whether an S3 bucket is included or excluded from a classification job.

Specifies a property-based condition that determines whether an S3 object is included or excluded from a classification job.

Specifies criteria for sorting the results of a request for findings.

Provides processing statistics for a classification job.

Specifies a custom data identifier or managed data identifier that detected a type of sensitive data to start excluding or including in an S3 bucket's sensitivity score.

Specifies a tag-based condition that determines whether an S3 bucket is included or excluded from a classification job.

Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based condition that determines whether an S3 bucket is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.

Specifies a tag-based condition that determines whether an S3 object is included or excluded from a classification job.

Specifies a tag key or tag key and value pair to use in a tag-based condition that determines whether an S3 object is included or excluded from a classification job. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based conditions.

Provides information about an account-related request that hasn't been processed.

Specifies the access method and settings to use when retrieving occurrences of sensitive data reported by findings. If your request specifies an Identity and Access Management (IAM) role to assume, Amazon Macie verifies that the role exists and the attached policies are configured correctly. If there's an issue, Macie returns an error. For information about addressing the issue, see Configuration options and requirements for retrieving sensitive data samples in the Amazon Macie User Guide.

Provides data for a specific usage metric and the corresponding quota for an Amazon Macie account.

Provides quota and aggregated usage data for an Amazon Macie account.

Specifies a condition for filtering the results of a query for quota and usage data for one or more Amazon Macie accounts.

Specifies criteria for sorting the results of a query for Amazon Macie account quotas and usage data.

Provides aggregated data for an Amazon Macie usage metric. The value for the metric reports estimated usage data for an account for the preceding 30 days or the current calendar month to date, depending on the time period (timeRange) specified in the request.

Provides information about the type and other characteristics of an entity that performed an action on an affected resource.

Provides information about an Amazon Web Services account and entity that performed an action on an affected resource. The action was performed using the credentials for your Amazon Web Services account.

Provides information about when a classification job was paused. For a one-time job, this object also specifies when the job will expire and be cancelled if it isn't resumed. For a recurring job, this object also specifies when the paused job run will expire and be cancelled if it isn't resumed. This object is present only if a job's current status (jobStatus) is USER_PAUSED. The information in this object applies only to a job that was paused while it had a status of RUNNING.

Specifies a weekly recurrence pattern for running a classification job.

The current status of an account as the delegated Amazon Macie administrator account for an organization in Organizations. Possible values are:

Indicates the current status of an allow list. Depending on the type of criteria that the list specifies, possible values are:

Specifies whether to automatically enable automated sensitive data discovery for accounts that are part of an organization in Amazon Macie. Valid values are:

The status of automated sensitive data discovery for an Amazon Macie account. Valid values are:

The error code that indicates why a request failed to change the status of automated sensitive data discovery for an Amazon Macie account. Possible values are:

Specifies whether automated sensitive data discovery is currently configured to analyze objects in an S3 bucket. Possible values are:

The status of the automated sensitive data discovery configuration for an organization in Amazon Macie or a standalone Macie account. Valid values are:

Specifies whether occurrences of sensitive data can be retrieved for a finding. Possible values are:

The error code for an error that prevented Amazon Macie from retrieving and processing information about an S3 bucket and the bucket's objects.

Specifies how to apply changes to the S3 bucket exclusion list defined by the classification scope for an Amazon Macie account. Valid values are:

The type of currency that the data for an Amazon Macie usage metric is reported in. Possible values are:

The severity of a finding, ranging from LOW, for least severe, to HIGH, for most severe. Valid values are:

The type of data identifier that detected a specific type of sensitive data in an S3 bucket. Possible values are:

The server-side encryption algorithm that was used to encrypt an S3 object or is used by default to encrypt objects that are added to an S3 bucket. Possible values are:

The source of an issue or delay. Possible values are:

The type of action that occurred for the resource and produced the policy finding:

The category of the finding. Possible values are:

The frequency with which Amazon Macie publishes updates to policy findings for an account. This includes publishing updates to Security Hub and Amazon EventBridge (formerly Amazon CloudWatch Events). For more information, see Monitoring and processing findings in the Amazon Macie User Guide. Valid values are:

The action to perform on findings that match the filter criteria. To suppress (automatically archive) findings that match the criteria, set this value to ARCHIVE. Valid values are:

The grouping to sort the results by. Valid values are:

The type of finding. For details about each type, see Types of Amazon Macie findings in the Amazon Macie User Guide. Possible values are:

The operator to use in a condition. Depending on the type of condition, possible values are:

The status of a classification job. Possible values are:

The schedule for running a classification job. Valid values are:

Specifies whether any account- or bucket-level access errors occurred during the run of a one-time classification job or the most recent run of a recurring classification job. Possible values are:

The property to use to filter the results. Valid values are:

The property to sort the results by. Valid values are:

The status of an Amazon Macie account. Valid values are:

The selection type that determines which managed data identifiers a classification job uses to analyze data. Valid values are:

Specifies how Amazon Macie found the sensitive data that produced a finding. Possible values are:

The current status of the relationship between an account and an associated Amazon Macie administrator account. Possible values are:

The access method to use when retrieving occurrences of sensitive data reported by findings. Valid values are:

The status of a request to retrieve occurrences of sensitive data reported by a finding. Possible values are:

The status of the configuration for retrieving occurrences of sensitive data reported by findings. Valid values are:

The property to use in a condition that determines whether an S3 object is included or excluded from a classification job. Valid values are:

The operator to use in a condition that filters the results of a query. Valid values are:

The property to use in a condition that filters the query results. Valid values are:

The property to sort the query results by. Valid values are:

For a finding, the category of sensitive data that was detected and produced the finding. For a managed data identifier, the category of sensitive data that the managed data identifier detects. Possible values are:

The qualitative representation of the finding's severity. Possible values are:

The property to use in a condition that determines whether an S3 bucket is included or excluded from a classification job. Valid values are:

The storage class of the S3 object. Possible values are:

The type of object to apply a tag-based condition to. Valid values are:

An inclusive time period that Amazon Macie usage data applies to. Possible values are:

Specifies why occurrences of sensitive data can't be retrieved for a finding. Possible values are:

The operator to use in a condition that filters the results of a query for Amazon Macie account quotas and usage data. Valid values are:

The field to use in a condition that filters the results of a query for Amazon Macie account quotas and usage data. Valid values are:

The field to use to sort the results of a query for Amazon Macie account quotas and usage data. Valid values are:

The name of an Amazon Macie usage metric for an account. Possible values are:

The type of entity that performed the action on the affected resource. Possible values are: