The Amazon Web Services account ID for the account that sent the invitation.

(Deprecated) The Amazon Web Services account ID for the account that sent the invitation. This property has been replaced by the administratorAccountId property and is retained only for backward compatibility.

The unique identifier for the invitation to accept.

The response's http status code.

An array of custom data identifier IDs, one for each custom data identifier to retrieve information about.

An array of objects, one for each custom data identifier that matches the criteria specified in the request.

An array of custom data identifier IDs, one for each custom data identifier that was specified in the request but doesn't correlate to an existing custom data identifier.

The response's http status code.

A custom description of the allow list. The description can contain as many as 512 characters.

A map of key-value pairs that specifies the tags to associate with the allow list.

An allow list can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.

The criteria that specify the text or text pattern to ignore. The criteria can be the location and name of an S3 object that lists specific text to ignore (s3WordsList), or a regular expression (regex) that defines a text pattern to ignore.

A unique, case-sensitive token that you provide to ensure the idempotency of the request.

A custom name for the allow list. The name can contain as many as 128 characters.

The Amazon Resource Name (ARN) of the allow list.

The unique identifier for the allow list.

The response's http status code.

An array of unique identifiers, one for each allow list for the job to use when it analyzes data.

An array of unique identifiers, one for each custom data identifier for the job to use when it analyzes data. To use only managed data identifiers, don't specify a value for this property and specify a value other than NONE for the managedDataIdentifierSelector property.

A custom description of the job. The description can contain as many as 200 characters.

For a recurring job, specifies whether to analyze all existing, eligible objects immediately after the job is created (true). To analyze only those objects that are created or changed after you create the job and before the job's first scheduled run, set this value to false.

If you configure the job to run only once, don't specify a value for this property.

An array of unique identifiers, one for each managed data identifier for the job to include (use) or exclude (not use) when it analyzes data. Inclusion or exclusion depends on the managed data identifier selection type that you specify for the job (managedDataIdentifierSelector).

To retrieve a list of valid values for this property, use the ListManagedDataIdentifiers operation.

The selection type to apply when determining which managed data identifiers the job uses to analyze data. Valid values are:

• ALL - Use all the managed data identifiers that Amazon Macie provides. If you specify this value, don't specify any values for the managedDataIdentifierIds property.
• EXCLUDE - Use all the managed data identifiers that Macie provides except the managed data identifiers specified by the managedDataIdentifierIds property.
• INCLUDE - Use only the managed data identifiers specified by the managedDataIdentifierIds property.
• NONE - Don't use any managed data identifiers. If you specify this value, specify at least one custom data identifier for the job (customDataIdentifierIds) and don't specify any values for the managedDataIdentifierIds property.

If you don't specify a value for this property, the job uses all managed data identifiers. If you don't specify a value for this property or you specify ALL or EXCLUDE for a recurring job, the job also uses new managed data identifiers as they are released.

The sampling depth, as a percentage, for the job to apply when processing objects. This value determines the percentage of eligible objects that the job analyzes. If this value is less than 100, Amazon Macie selects the objects to analyze at random, up to the specified percentage, and analyzes all the data in those objects.

The recurrence pattern for running the job. To run the job only once, don't specify a value for this property and set the value for the jobType property to ONE_TIME.

A map of key-value pairs that specifies the tags to associate with the job.

A job can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.

The S3 buckets that contain the objects to analyze, and the scope of that analysis.

The schedule for running the job. Valid values are:

• ONE_TIME - Run the job only once. If you specify this value, don't specify a value for the scheduleFrequency property.
• SCHEDULED - Run the job on a daily, weekly, or monthly basis. If you specify this value, use the scheduleFrequency property to define the recurrence pattern for the job.

A unique, case-sensitive token that you provide to ensure the idempotency of the request.

A custom name for the job. The name can contain as many as 500 characters.

The Amazon Resource Name (ARN) of the job.

The unique identifier for the job.

The response's http status code.

A unique, case-sensitive token that you provide to ensure the idempotency of the request.

A custom description of the custom data identifier. The description can contain as many as 512 characters.

We strongly recommend that you avoid including any sensitive data in the description of a custom data identifier. Other users of your account might be able to see this description, depending on the actions that they're allowed to perform in Amazon Macie.

An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression contains any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4-90 UTF-8 characters. Ignore words are case sensitive.

An array that lists specific character sequences (keywords), one of which must precede and be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.

The maximum number of characters that can exist between the end of at least one complete character sequence specified by the keywords array and the end of the text that matches the regex pattern. If a complete keyword precedes all the text that matches the pattern and the keyword is within the specified distance, Amazon Macie includes the result. The distance can be 1-300 characters. The default value is 50.

The severity to assign to findings that the custom data identifier produces, based on the number of occurrences of text that matches the custom data identifier's detection criteria. You can specify as many as three SeverityLevel objects in this array, one for each severity: LOW, MEDIUM, or HIGH. If you specify more than one, the occurrences thresholds must be in ascending order by severity, moving from LOW to HIGH. For example, 1 for LOW, 50 for MEDIUM, and 100 for HIGH. If an S3 object contains fewer occurrences than the lowest specified threshold, Amazon Macie doesn't create a finding.

If you don't specify any values for this array, Macie creates findings for S3 objects that contain at least one occurrence of text that matches the detection criteria, and Macie assigns the MEDIUM severity to those findings.

A map of key-value pairs that specifies the tags to associate with the custom data identifier.

A custom data identifier can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.

The regular expression (regex) that defines the pattern to match. The expression can contain as many as 512 characters.

A custom name for the custom data identifier. The name can contain as many as 128 characters.

We strongly recommend that you avoid including any sensitive data in the name of a custom data identifier. Other users of your account might be able to see this name, depending on the actions that they're allowed to perform in Amazon Macie.

The unique identifier for the custom data identifier that was created.

The response's http status code.

A unique, case-sensitive token that you provide to ensure the idempotency of the request.

A custom description of the filter. The description can contain as many as 512 characters.

We strongly recommend that you avoid including any sensitive data in the description of a filter. Other users of your account might be able to see this description, depending on the actions that they're allowed to perform in Amazon Macie.

The position of the filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to the findings.

A map of key-value pairs that specifies the tags to associate with the filter.

A findings filter can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.

The action to perform on findings that match the filter criteria (findingCriteria). Valid values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.

The criteria to use to filter findings.

A custom name for the filter. The name must contain at least 3 characters and can contain as many as 64 characters.

We strongly recommend that you avoid including any sensitive data in the name of a filter. Other users of your account might be able to see this name, depending on the actions that they're allowed to perform in Amazon Macie.

The Amazon Resource Name (ARN) of the filter that was created.

The unique identifier for the filter that was created.

The response's http status code.

Specifies whether to send the invitation as an email message. If this value is false, Amazon Macie sends the invitation (as an email message) to the email address that you specified for the recipient's account when you associated the account with your account. The default value is false.

Custom text to include in the email message that contains the invitation. The text can contain as many as 80 alphanumeric characters.

An array that lists Amazon Web Services account IDs, one for each account to send the invitation to.

An array of objects, one for each account whose invitation hasn't been processed. Each object identifies the account and explains why the invitation hasn't been processed for the account.

The response's http status code.

A map of key-value pairs that specifies the tags to associate with the account in Amazon Macie.

An account can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.

The details of the account to associate with the administrator account.

The Amazon Resource Name (ARN) of the account that was associated with the administrator account.

The response's http status code.

An array of finding types, one for each type of sample finding to create. To create a sample of every type of finding that Amazon Macie supports, don't include this array in your request.

The response's http status code.

An array that lists Amazon Web Services account IDs, one for each account that sent an invitation to decline.

An array of objects, one for each account whose invitation hasn't been declined. Each object identifies the account and explains why the request hasn't been processed for that account.

The response's http status code.

Specifies whether to force deletion of the allow list, even if active classification jobs are configured to use the list.

When you try to delete an allow list, Amazon Macie checks for classification jobs that use the list and have a status other than COMPLETE or CANCELLED. By default, Macie rejects your request if any jobs meet these criteria. To skip these checks and delete the list, set this value to true. To delete the list only if no active jobs are configured to use it, set this value to false.

The unique identifier for the Amazon Macie resource that the request applies to.

The response's http status code.

The unique identifier for the Amazon Macie resource that the request applies to.

The response's http status code.

The unique identifier for the Amazon Macie resource that the request applies to.

The response's http status code.

An array that lists Amazon Web Services account IDs, one for each account that sent an invitation to delete.

An array of objects, one for each account whose invitation hasn't been deleted. Each object identifies the account and explains why the request hasn't been processed for that account.

The response's http status code.

The unique identifier for the Amazon Macie resource that the request applies to.

The response's http status code.

The criteria to use to filter the query results.

The maximum number of items to include in each page of the response. The default value is 50.

The nextToken string that specifies which page of results to return in a paginated response.

The criteria to use to sort the query results.

An array of objects, one for each bucket that matches the filter criteria specified in the request.

The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

The response's http status code.

The unique identifier for the classification job.

An array of unique identifiers, one for each allow list that the job uses when it analyzes data.

The token that was provided to ensure the idempotency of the request to create the job.

The date and time, in UTC and extended ISO 8601 format, when the job was created.

An array of unique identifiers, one for each custom data identifier that the job uses when it analyzes data. This value is null if the job uses only managed data identifiers to analyze data.

The custom description of the job.

For a recurring job, specifies whether you configured the job to analyze all existing, eligible objects immediately after the job was created (true). If you configured the job to analyze only those objects that were created or changed after the job was created and before the job's first scheduled run, this value is false. This value is also false for a one-time job.

The Amazon Resource Name (ARN) of the job.

The unique identifier for the job.

The current status of the job. Possible values are:

• CANCELLED - You cancelled the job or, if it's a one-time job, you paused the job and didn't resume it within 30 days.
• COMPLETE - For a one-time job, Amazon Macie finished processing the data specified for the job. This value doesn't apply to recurring jobs.
• IDLE - For a recurring job, the previous scheduled run is complete and the next scheduled run is pending. This value doesn't apply to one-time jobs.
• PAUSED - Macie started running the job but additional processing would exceed the monthly sensitive data discovery quota for your account or one or more member accounts that the job analyzes data for.
• RUNNING - For a one-time job, the job is in progress. For a recurring job, a scheduled run is in progress.
• USER_PAUSED - You paused the job. If you paused the job while it had a status of RUNNING and you don't resume it within 30 days of pausing it, the job or job run will expire and be cancelled, depending on the job's type. To check the expiration date, refer to the UserPausedDetails.jobExpiresAt property.

The schedule for running the job. Possible values are:

• ONE_TIME - The job runs only once.
• SCHEDULED - The job runs on a daily, weekly, or monthly basis. The scheduleFrequency property indicates the recurrence pattern for the job.

Specifies whether any account- or bucket-level access errors occurred when the job ran. For a recurring job, this value indicates the error status of the job's most recent run.

The date and time, in UTC and extended ISO 8601 format, when the job started. If the job is a recurring job, this value indicates when the most recent run started or, if the job hasn't run yet, when the job was created.

An array of unique identifiers, one for each managed data identifier that the job is explicitly configured to include (use) or exclude (not use) when it analyzes data. Inclusion or exclusion depends on the managed data identifier selection type specified for the job (managedDataIdentifierSelector). This value is null if the job's managed data identifier selection type is ALL or the job uses only custom data identifiers (customDataIdentifierIds) to analyze data.

The selection type that determines which managed data identifiers the job uses to analyze data. Possible values are:

• ALL - Use all the managed data identifiers that Amazon Macie provides.
• EXCLUDE - Use all the managed data identifiers that Macie provides except the managed data identifiers specified by the managedDataIdentifierIds property.
• INCLUDE - Use only the managed data identifiers specified by the managedDataIdentifierIds property.
• NONE - Don't use any managed data identifiers.

If this value is null, the job uses all managed data identifiers. If this value is null, ALL, or EXCLUDE for a recurring job, the job also uses new managed data identifiers as they are released.

The custom name of the job.

The S3 buckets that contain the objects to analyze, and the scope of that analysis.

The sampling depth, as a percentage, that determines the percentage of eligible objects that the job analyzes.

The recurrence pattern for running the job. This value is null if the job is configured to run only once.

The number of times that the job has run and processing statistics for the job's current run.

A map of key-value pairs that specifies which tags (keys and values) are associated with the classification job.

If the current status of the job is USER_PAUSED, specifies when the job was paused and when the job or job run will expire and be cancelled if it isn't resumed. This value is present only if the value for jobStatus is USER_PAUSED.

The response's http status code.

Specifies whether Amazon Macie is enabled automatically for accounts that are added to the organization.

Specifies whether the maximum number of Amazon Macie member accounts are part of the organization.

The response's http status code.

The response's http status code.

The Amazon Web Services account ID of the delegated Amazon Macie administrator account.

The response's http status code.

The response's http status code.

The response's http status code.

The unique identifier for the Amazon Macie resource that the request applies to.

The response's http status code.

A unique, case-sensitive token that you provide to ensure the idempotency of the request.

Specifies how often to publish updates to policy findings for the account. This includes publishing updates to Security Hub and Amazon EventBridge (formerly Amazon CloudWatch Events).

Specifies the new status for the account. To enable Amazon Macie and start all Macie activities for the account, set this value to ENABLED.

The response's http status code.

A unique, case-sensitive token that you provide to ensure the idempotency of the request.

The Amazon Web Services account ID for the account to designate as the delegated Amazon Macie administrator account for the organization.

The response's http status code.

The Amazon Web Services account ID for the administrator account. If the accounts are associated by an Amazon Macie membership invitation, this object also provides details about the invitation that was sent to establish the relationship between the accounts.

The response's http status code.

The unique identifier for the Amazon Macie resource that the request applies to.

The Amazon Resource Name (ARN) of the allow list.

The date and time, in UTC and extended ISO 8601 format, when the allow list was created in Amazon Macie.

The criteria that specify the text or text pattern to ignore. The criteria can be the location and name of an S3 object that lists specific text to ignore (s3WordsList), or a regular expression (regex) that defines a text pattern to ignore.

The custom description of the allow list.

The unique identifier for the allow list.

The custom name of the allow list.

The current status of the allow list, which indicates whether Amazon Macie can access and use the list's criteria.

A map of key-value pairs that specifies which tags (keys and values) are associated with the allow list.

The date and time, in UTC and extended ISO 8601 format, when the allow list's settings were most recently changed in Amazon Macie.

The response's http status code.

The unique identifier for the classification scope that's used when performing automated sensitive data discovery for the account. The classification scope specifies S3 buckets to exclude from automated sensitive data discovery.

The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was most recently disabled for the account. This value is null if automated sensitive data discovery wasn't enabled and subsequently disabled for the account.

The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was initially enabled for the account. This value is null if automated sensitive data discovery has never been enabled for the account.

The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was most recently enabled or disabled for the account.

The unique identifier for the sensitivity inspection template that's used when performing automated sensitive data discovery for the account. The template specifies which allow lists, custom data identifiers, and managed data identifiers to use when analyzing data.

The current status of the automated sensitive data discovery configuration for the account. Possible values are: ENABLED, use the specified settings to perform automated sensitive data discovery activities for the account; and, DISABLED, don't perform automated sensitive data discovery activities for the account.

The response's http status code.

The unique identifier for the Amazon Web Services account.

The total number of buckets.

The total number of buckets that are publicly accessible based on a combination of permissions settings for each bucket.

The total number of buckets that use certain types of server-side encryption to encrypt new objects by default. This object also reports the total number of buckets that don't encrypt new objects by default.

The total number of buckets whose bucket policies do or don't require server-side encryption of objects when objects are uploaded to the buckets.

The total number of buckets that are or aren't shared with another Amazon Web Services account.

The aggregated sensitive data discovery statistics for the buckets. If automated sensitive data discovery is currently disabled for your account, the value for each statistic is 0.

The total number of objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.

The total storage size, in bytes, of all the objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.

If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each applicable object in the buckets. This value doesn't reflect the storage size of all versions of all applicable objects in the buckets.

The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved both bucket and object metadata from Amazon S3 for the buckets.

The total number of objects in the buckets.

The total storage size, in bytes, of the buckets.

If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each object in the buckets. This value doesn't reflect the storage size of all versions of the objects in the buckets.

The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the buckets.

If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each applicable object in the buckets. This value doesn't reflect the storage size of all versions of the applicable objects in the buckets.

The total number of objects that Amazon Macie can't analyze in the buckets. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the buckets. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

The response's http status code.

The location where data classification results are stored, and the encryption settings that are used when storing results in that location.

The response's http status code.

The unique identifier for the Amazon Macie resource that the request applies to.

The unique identifier for the classification scope.

The name of the classification scope.

The S3 buckets that are excluded from automated sensitive data discovery.

The response's http status code.

The unique identifier for the Amazon Macie resource that the request applies to.

The Amazon Resource Name (ARN) of the custom data identifier.

The date and time, in UTC and extended ISO 8601 format, when the custom data identifier was created.

Specifies whether the custom data identifier was deleted. If you delete a custom data identifier, Amazon Macie doesn't delete it permanently. Instead, it soft deletes the identifier.

The custom description of the custom data identifier.

The unique identifier for the custom data identifier.

An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression contains any string in this array, Amazon Macie ignores it. Ignore words are case sensitive.

An array that lists specific character sequences (keywords), one of which must precede and be within proximity (maximumMatchDistance) of the regular expression to match. Keywords aren't case sensitive.

The maximum number of characters that can exist between the end of at least one complete character sequence specified by the keywords array and the end of the text that matches the regex pattern. If a complete keyword precedes all the text that matches the pattern and the keyword is within the specified distance, Amazon Macie includes the result. Otherwise, Macie excludes the result.

The custom name of the custom data identifier.

The regular expression (regex) that defines the pattern to match.

Specifies the severity that's assigned to findings that the custom data identifier produces, based on the number of occurrences of text that matches the custom data identifier's detection criteria. By default, Amazon Macie creates findings for S3 objects that contain at least one occurrence of text that matches the detection criteria, and Macie assigns the MEDIUM severity to those findings.

A map of key-value pairs that identifies the tags (keys and values) that are associated with the custom data identifier.

The response's http status code.

The criteria to use to filter the query results.

The maximum number of items to include in each page of the response.

The criteria to use to sort the query results.

The finding property to use to group the query results. Valid values are:

• classificationDetails.jobId - The unique identifier for the classification job that produced the finding.
• resourcesAffected.s3Bucket.name - The name of the S3 bucket that the finding applies to.
• severity.description - The severity level of the finding, such as High or Medium.
• type - The type of finding, such as Policy:IAMUser/S3BucketPublic and SensitiveData:S3Object/Personal.

An array of objects, one for each group of findings that matches the filter criteria specified in the request.

The response's http status code.

The criteria for sorting the results of the request.

An array of strings that lists the unique identifiers for the findings to retrieve. You can specify as many as 50 unique identifiers in this array.

An array of objects, one for each finding that matches the criteria specified in the request.

The response's http status code.

The unique identifier for the Amazon Macie resource that the request applies to.

The action that's performed on findings that match the filter criteria (findingCriteria). Possible values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.

The Amazon Resource Name (ARN) of the filter.

The custom description of the filter.

The criteria that's used to filter findings.

The unique identifier for the filter.

The custom name of the filter.

The position of the filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to the findings.

A map of key-value pairs that specifies which tags (keys and values) are associated with the filter.

The response's http status code.

The configuration settings that determine which findings are published to Security Hub.

The response's http status code.

The total number of invitations that were received by the account, not including the currently accepted invitation.

The response's http status code.

The date and time, in UTC and extended ISO 8601 format, when the Amazon Macie account was created.

The frequency with which Amazon Macie publishes updates to policy findings for the account. This includes publishing updates to Security Hub and Amazon EventBridge (formerly Amazon CloudWatch Events).

The Amazon Resource Name (ARN) of the service-linked role that allows Amazon Macie to monitor and analyze data in Amazon Web Services resources for the account.

The current status of the Amazon Macie account. Possible values are: PAUSED, the account is enabled but all Macie activities are suspended (paused) for the account; and, ENABLED, the account is enabled and all Macie activities are enabled for the account.

The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the Amazon Macie account.

The response's http status code.

(Deprecated) The Amazon Web Services account ID for the administrator account. If the accounts are associated by a Macie membership invitation, this object also provides details about the invitation that was sent to establish the relationship between the accounts.