Amazon Macie

(1)

Amazon Macie

REST API Reference

(2)

Amazon Macie: REST API Reference

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

Welcome

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to help you discover, monitor, and protect sensitive data in your AWS environment.

Macie automates the discovery of sensitive data, such as personally identiﬁable information (PII) and ﬁnancial information, to provide you with a better understanding of the data that your organization stores in Amazon Simple Storage Service (Amazon S3). Macie also provides you with an inventory of your S3 buckets, and it automatically evaluates and monitors those buckets for security and access control.

If Macie detects sensitive data or potential issues with the security or privacy of your data, it creates detailed ﬁndings for you to review and remediate as necessary.

This guide, the Amazon Macie REST API Reference, provides information about the Amazon Macie API.

This includes supported resources, HTTP methods, parameters, and schemas. If you're new to Macie, you might ﬁnd it helpful to also review the Amazon Macie User Guide. The Amazon Macie User Guide explains key concepts and provides procedures that demonstrate how to use Macie features. It also provides information about topics such as integrating Macie with other AWS services.

In addition to interacting with Macie by making RESTful calls to the Amazon Macie API, you can use a current version of an AWS command line tool or SDK. AWS provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to Macie and other AWS services. They also handle tasks such as signing requests, managing errors, and retrying requests automatically. For information about installing and using the AWS tools and SDKs, see Tools to Build on AWS.

Finding regional endpoints

The Amazon Macie API is available in most AWS Regions and it provides an endpoint for each of these Regions. For a list of Regions and endpoints where the API is currently available, see Amazon Macie endpoints and quotas in the Amazon Web Services General Reference. To learn more about AWS Regions, see Managing AWS Regions in the Amazon Web Services General Reference.

When you send a request to the Amazon Macie API, the request applies only to the AWS Region that’s currently active for your AWS account or speciﬁed in the request. If your request submits changes to conﬁguration or other settings for your account, the changes apply only to that Region. To make the same changes in other Regions, send the request to each additional Region that you want to apply the changes to.

Managing multiple accounts

You can centrally manage multiple Amazon Macie accounts. To do this, designate a single Macie account as the Macie administrator account and associate other Macie accounts with it as member accounts. You can do this in two ways, by using AWS Organizations or by sending membership invitations from Macie.

We recommend using AWS Organizations to manage multiple accounts.

If you're a user of a Macie administrator account, you can access certain Macie settings, data, and resources for member accounts. You can also run classiﬁcation jobs to detect sensitive data in S3 buckets that member accounts own.

(9)

Signing requests

If you're a user of a member account, you can access Macie settings, data, and resources only for your own account. For this reason, you might not be able to use certain operations of the Amazon Macie API.

For detailed information about the primary tasks that administrator and member accounts can perform, see Managing multiple accounts in the Amazon Macie User Guide.

Signing requests

When you send an HTTPS request to the Amazon Macie API, you have to sign the request by using your AWS access key, which consists of an access key ID and a secret access key. For everyday work with Macie, we strongly recommend that you not use the access key ID and secret access key for your root AWS account. Instead, use the access key ID and secret access key for an AWS Identity and Access Management (IAM) user. You can also use the AWS Security Token Service to generate temporary security credentials that you can use to sign requests. All Amazon Macie operations require Signature Version 4.

For more information about using credentials and signing requests, see the following resources:

• AWS security credentials – This section of the Amazon Web Services General Reference provides information about the types of credentials that can be used to access AWS.

• Temporary security credentials in IAM – This section of the IAM User Guide describes how to create and use temporary security credentials.

• Signing AWS API requests – This section of the Amazon Web Services General Reference explains and guides you through the process of signing a request using an access key ID and secret access key.

Logging API calls

Amazon Macie integrates with AWS CloudTrail, which is a service that provides a record of actions that were taken in Macie by a user, a role, or another AWS service. This includes actions that were performed using the Amazon Macie console and programmatic calls to Amazon Macie operations.

By using the information collected by CloudTrail, you can determine which requests were successfully sent to Macie. For each request, you can identify when it was made, the IP address from which it was made, who made it, and additional details. To learn more about CloudTrail, see the AWS CloudTrail User Guide.

(10)

Operations

The Amazon Macie REST API includes the following operations.

• AcceptInvitation (p. 270)

Accepts an Amazon Macie membership invitation that was received from a speciﬁc account.

• BatchGetCustomDataIdentiﬁers (p. 111)

Retrieves information about one or more custom data identiﬁers.

• CreateClassiﬁcationJob (p. 41)

Creates and deﬁnes the settings for a classiﬁcation job.

• CreateCustomDataIdentiﬁer (p. 104)

Creates and deﬁnes the criteria and other settings for a custom data identiﬁer.

• CreateFindingsFilter (p. 234)

Creates and defines the criteria and other settings for a findings filter.

• CreateInvitations (p. 291)

Sends an Amazon Macie membership invitation to one or more accounts.

• CreateMember (p. 328)

Associates an account with an Amazon Macie administrator account.

• CreateSampleFindings (p. 257) Creates sample ﬁndings.

• DeclineInvitations (p. 279)

Declines Amazon Macie membership invitations that were received from speciﬁc accounts.

• DeleteCustomDataIdentiﬁer (p. 96) Soft deletes a custom data identiﬁer.

• DeleteFindingsFilter (p. 222) Deletes a ﬁndings ﬁlter.

• DeleteInvitations (p. 284)

Deletes Amazon Macie membership invitations that were received from speciﬁc accounts.

• DeleteMember (p. 311)

Deletes the association between an Amazon Macie administrator account and an account.

• DescribeBuckets (p. 128)

Retrieves (queries) statistical data and other information about one or more S3 buckets that Amazon Macie monitors and analyzes.

• DescribeClassiﬁcationJob (p. 59)

Retrieves the status and settings for a classiﬁcation job.

• DescribeOrganizationConﬁguration (p. 35)

(11)

Retrieves the Amazon Macie conﬁguration settings for an organization in AWS Organizations.

• DisableMacie (p. 10)

Disables Amazon Macie and deletes all settings and resources for a Macie account.

• DisableOrganizationAdminAccount (p. 29)

Disables an account as the delegated Amazon Macie administrator account for an organization in AWS Organizations.

• DisassociateFromAdministratorAccount (p. 23)

Disassociates a member account from its Amazon Macie administrator account.

• DisassociateFromMasterAccount (p. 306)

(Deprecated) Disassociates a member account from its Amazon Macie administrator account. This operation has been replaced by the DisassociateFromAdministratorAccount (p. 23) operation.

• DisassociateMember (p. 318)

Disassociates an Amazon Macie administrator account from a member account.

• EnableMacie (p. 9)

Enables Amazon Macie and speciﬁes the conﬁguration settings for a Macie account.

• EnableOrganizationAdminAccount (p. 28)

Designates an account as the delegated Amazon Macie administrator account for an organization in AWS Organizations.

• GetAdministratorAccount (p. 18)

Retrieves information about the Amazon Macie administrator account for an account.

• GetBucketStatistics (p. 148)

Retrieves (queries) aggregated statistical data about S3 buckets that Amazon Macie monitors and analyzes.

• GetClassiﬁcationExportConﬁguration (p. 174)

Retrieves the conﬁguration settings for storing data classiﬁcation results.

• GetCustomDataIdentiﬁer (p. 95)

Retrieves the criteria and other settings for a custom data identiﬁer.

• GetFindings (p. 181)

Retrieves the details of one or more ﬁndings.

• GetFindingsFilter (p. 221)

Retrieves the criteria and other settings for a ﬁndings ﬁlter.

• GetFindingsPublicationConﬁguration (p. 251)

Retrieves the conﬁguration settings for publishing ﬁndings to AWS Security Hub.

• GetFindingStatistics (p. 262)

Retrieves (queries) aggregated statistical data about ﬁndings.

• GetInvitationsCount (p. 275)

Retrieves the count of Amazon Macie membership invitations that were received by an account.

• GetMacieSession (p. 8)

(12)

Retrieves the current status and conﬁguration settings for an Amazon Macie account.

• GetMasterAccount (p. 301)

(Deprecated) Retrieves information about the Amazon Macie administrator account for an account.

This operation has been replaced by the GetAdministratorAccount (p. 18) operation.

• GetMember (p. 310)

Retrieves information about an account that's associated with an Amazon Macie administrator account.

• GetUsageStatistics (p. 341)

Retrieves (queries) quotas and aggregated usage data for one or more accounts.

• GetUsageTotals (p. 350)

Retrieves (queries) aggregated usage data for an account.

• ListClassiﬁcationJobs (p. 81)

Retrieves a subset of information about one or more classiﬁcation jobs.

• ListCustomDataIdentiﬁers (p. 117)

Retrieves a subset of information about all the custom data identiﬁers for an account.

• ListFindings (p. 243)

Retrieves a subset of information about one or more ﬁndings.

• ListFindingsFilters (p. 233)

Retrieves a subset of information about all the ﬁndings ﬁlters for an account.

• ListInvitations (p. 290)

Retrieves information about the Amazon Macie membership invitations that were received by an account.

• ListManagedDataIdentiﬁers (p. 298)

Retrieves information about all the managed data identiﬁers that Amazon Macie currently provides.

• ListMembers (p. 327)

Retrieves information about the accounts that are associated with an Amazon Macie administrator account.

• ListOrganizationAdminAccounts (p. 27)

Retrieves information about the delegated Amazon Macie administrator account for an organization in AWS Organizations.

• ListTagsForResource (p. 336)

Retrieves the tags (keys and values) that are associated with a classification job, custom data identifier, findings filter, or member account.

• PutClassiﬁcationExportConﬁguration (p. 175)

Creates or updates the conﬁguration settings for storing data classiﬁcation results.

• PutFindingsPublicationConﬁguration (p. 252)

Updates the conﬁguration settings for publishing ﬁndings to AWS Security Hub.

• SearchResources (p. 159)

Retrieves (queries) statistical data and other information about AWS resources that Amazon Macie monitors and analyzes.

(13)

• TagResource (p. 336)

Adds or updates one or more tags (keys and values) that are associated with a classification job, custom data identifier, findings filter, or member account.

• TestCustomDataIdentiﬁer (p. 122) Tests a custom data identiﬁer.

• UntagResource (p. 337)

Removes one or more tags (keys and values) from a classification job, custom data identifier, findings filter, or member account.

• UpdateClassiﬁcationJob (p. 59)

Changes the status of a classiﬁcation job.

• UpdateFindingsFilter (p. 223)

Updates the criteria and other settings for a ﬁndings ﬁlter.

• UpdateMacieSession (p. 10)

Suspends or re-enables Amazon Macie, or updates the conﬁguration settings for a Macie account.

• UpdateMemberSession (p. 322)

Enables an Amazon Macie administrator to suspend or re-enable Macie for a member account.

• UpdateOrganizationConﬁguration (p. 36)

Updates the Amazon Macie conﬁguration settings for an organization in AWS Organizations.

(14)

Resources

The Amazon Macie REST API includes the following resources.

Topics

• Account Administration (p. 8)

• Administrator (p. 17)

• Administrator Disassociation (p. 23)

• AWS Organizations - Macie Administrator (p. 27)

• AWS Organizations - Macie Conﬁguration (p. 35)

• Classiﬁcation Job Creation (p. 41)

• Classiﬁcation Job Description (p. 58)

• Classiﬁcation Job List (p. 81)

• Custom Data Identiﬁer (p. 95)

• Custom Data Identiﬁer Creation (p. 103)

• Custom Data Identiﬁer Descriptions (p. 111)

• Custom Data Identiﬁer List (p. 116)

• Custom Data Identiﬁer Testing (p. 122)

• Data Sources - Amazon S3 (p. 128)

• Data Sources - Amazon S3 Statistics (p. 147)

• Data Sources - Search (p. 158)

• Export Conﬁguration (p. 173)

• Findings (p. 180)

• Findings Filter (p. 221)

• Findings Filters (p. 232)

• Findings List (p. 243)

• Findings Publication Conﬁguration (p. 250)

• Findings Samples (p. 257)

• Findings Statistics (p. 262)

• Invitation Acceptance (p. 270)

• Invitation Count (p. 274)

• Invitation Decline (p. 279)

• Invitation Deletion (p. 284)

• Invitation List (p. 289)

• Managed Data Identiﬁers (p. 298)

• Master Account (p. 301)

• Master Disassociation (p. 306)

• Member (p. 310)

• Member Disassociation (p. 317)

• Member Status (p. 321)

• Members (p. 326)

• Tags (p. 335)

• Usage Statistics (p. 340)

• Usage Totals (p. 350)

(15)

Account Administration

The Account Administration resource provides access to the status and conﬁguration settings for your Amazon Macie account.

You can use this resource to enable Macie and specify settings for your Macie account. When you enable Macie, the service generates a session for your AWS account in the current AWS Region, and it assigns a unique identifier to that session. A session is a resource that represents the Macie service for a specific AWS account in a specific Region. It enables Macie to become operational. An account can have only one session in each Region.

After you enable Macie, you can use this resource to review and update the status and configuration settings for your Macie account. This includes suspending (pausing) Macie and subsequently re-enabling Macie. If you suspend Macie, the service stops performing all activities for your account and it cancels all of your classification jobs. However, the service retains the session identifier, settings, and resources for your account. If your account is the Macie administrator account for an organization, you must remove all member accounts that are associated with your account before you suspend Macie.

If you want to disable Macie completely, you can use this resource to do so. If you disable Macie, the service stops performing all activities for your account. In addition, Macie permanently deletes all resources that it stores or maintains for you. This includes classification jobs, custom data identifiers, findings, and the session resource (and identifier) for your account. This doesn't include resources that Macie created and stored in other AWS services for you, such as data classification results in Amazon Simple Storage Service (Amazon S3) and findings in AWS Security Hub. If your account is the Macie administrator account for an organization and you want to disable Macie, you must first remove all member accounts that are associated with your account and delete the associations between your account and those accounts. If your account is a Macie member account in an organization and you want to disable Macie, you must first disassociate your account from its Macie administrator account.

URI

/macie

HTTP methods

GET

Operation ID: GetMacieSession

Retrieves the current status and conﬁguration settings for an Amazon Macie account.

Responses

Status code Response model Description

200 GetMacieSessionResponse (p. 11)The request succeeded.

400 ValidationException (p. 12)The request failed because it contains a syntax error.

402 ServiceQuotaExceededException (p. 12)The request failed because fulﬁlling the request would exceed one or more service quotas for your account.

403 AccessDeniedException (p. 12)The request was denied because you don't have suﬃcient access to the speciﬁed resource.

(16)

HTTP methods

404 ResourceNotFoundException (p. 12)The request failed because the speciﬁed resource wasn't found.

409 ConflictException (p. 12) The request failed because it conﬂicts with the current state of the speciﬁed resource.

429 ThrottlingException (p. 12)The request failed because you sent too many requests during a certain amount of time.

500 InternalServerException (p. 12)The request failed due to an unknown internal server error, exception, or failure.

POST

Operation ID: EnableMacie

Responses

200 Empty Schema (p. 12) The request succeeded and there

isn't any content to include in the body of the response (No Content).

(17)

HTTP methods

DELETE

Operation ID: DisableMacie

Disables Amazon Macie and deletes all settings and resources for a Macie account.

Responses

PATCH

Operation ID: UpdateMacieSession

Suspends or re-enables Amazon Macie, or updates the conﬁguration settings for a Macie account.

Responses

(18)

Schemas

Request bodies

POST schema

{

"clientToken": "string",

"findingPublishingFrequency": enum, "status": enum

}

PATCH schema

{ "findingPublishingFrequency": enum, "status": enum

}

Response bodies

GetMacieSessionResponse schema

{

"createdAt": "string", "serviceRole": "string",

"findingPublishingFrequency": enum, "status": enum,

"updatedAt": "string"

(19)

Schemas

}

Empty Schema schema

{}

ValidationException schema

{

"message": "string"

}

ServiceQuotaExceededException schema

{ "message": "string"

}

AccessDeniedException schema

{

"message": "string"

}

ResourceNotFoundException schema

}

ConﬂictException schema

{

"message": "string"

}

ThrottlingException schema

}

InternalServerException schema

}

(20)

Properties

AccessDeniedException

Provides information about an error that occurred due to insuﬃcient access to a speciﬁed resource.

message

The explanation of the error that occurred.

Type: string Required: False

ConﬂictException

Provides information about an error that occurred due to a versioning conﬂict for a speciﬁed resource.

message

Empty

The request succeeded and there isn't any content to include in the body of the response (No Content).

EnableMacieRequest

clientToken

A unique, case-sensitive token that you provide to ensure the idempotency of the request.

ﬁndingPublishingFrequency

Speciﬁes how often to publish updates to policy ﬁndings for the account. This includes publishing updates to AWS Security Hub and Amazon EventBridge (formerly called Amazon CloudWatch Events).

Type: FindingPublishingFrequency (p. 14) Required: False

status

Speciﬁes the new status for the account. To enable Amazon Macie and start all Macie activities for the account, set this value to ENABLED.

Type: MacieStatus (p. 15) Required: False

(21)

Properties

FindingPublishingFrequency

The frequency with which Amazon Macie publishes updates to policy ﬁndings for an account. This includes publishing updates to AWS Security Hub and Amazon EventBridge (formerly called Amazon CloudWatch Events). For more information, see Monitoring and processing ﬁndings in the Amazon Macie User Guide. Valid values are:

FIFTEEN_MINUTES ONE_HOUR

SIX_HOURS

GetMacieSessionResponse

Provides information about the current status and conﬁguration settings for an Amazon Macie account.

createdAt

The date and time, in UTC and extended ISO 8601 format, when the Amazon Macie account was created.

Type: string Required: False Format: date-time

serviceRole

The Amazon Resource Name (ARN) of the service-linked role that allows Amazon Macie to monitor and analyze data in AWS resources for the account.

ﬁndingPublishingFrequency

The frequency with which Amazon Macie publishes updates to policy ﬁndings for the account. This includes publishing updates to AWS Security Hub and Amazon EventBridge (formerly called Amazon CloudWatch Events).

status

The current status of the Amazon Macie account. Possible values are: PAUSED, the account is enabled but all Macie activities are suspended (paused) for the account; and, ENABLED, the account is enabled and all Macie activities are enabled for the account.

updatedAt

The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the Amazon Macie account.

Type: string

(22)

Properties

Required: False Format: date-time

InternalServerException

Provides information about an error that occurred due to an unknown internal server error, exception, or failure.

message

MacieStatus

The status of an Amazon Macie account. Valid values are:

PAUSED ENABLED

ResourceNotFoundException

Provides information about an error that occurred because a speciﬁed resource wasn't found.

message

ServiceQuotaExceededException

Provides information about an error that occurred due to one or more service quotas for an account.

message

ThrottlingException

Provides information about an error that occurred because too many requests were sent during a certain amount of time.

message

(23)

See also

UpdateMacieSessionRequest

Changes the status or conﬁguration settings for an Amazon Macie account.

ﬁndingPublishingFrequency

Speciﬁes how often to publish updates to policy ﬁndings for the account. This includes publishing updates to AWS Security Hub and Amazon EventBridge (formerly called Amazon CloudWatch Events).

status

Speciﬁes a new status for the account. Valid values are: ENABLED, resume all Amazon Macie activities for the account; and, PAUSED, suspend all Macie activities for the account.

ValidationException

Provides information about an error that occurred due to a syntax error in a request.

message

GetMacieSession

• AWS Command Line Interface

• AWS SDK for .NET

• AWS SDK for C++

• AWS SDK for Go

• AWS SDK for Java V2

• AWS SDK for JavaScript

• AWS SDK for PHP V3

• AWS SDK for Python

(24)

Administrator

• AWS SDK for Ruby V3

EnableMacie

• AWS SDK for C++

• AWS SDK for Go

DisableMacie

• AWS SDK for C++

• AWS SDK for Go

UpdateMacieSession

• AWS SDK for C++

• AWS SDK for Go

Administrator

The Administrator resource provides information about the Amazon Macie administrator account for your account. If you joined an organization by accepting a Macie membership invitation, this resource also provides information about that invitation.

(25)

URI

You can use the Administrator resource to retrieve information about the Macie administrator account for your account.

URI

/administrator

HTTP methods

GET

Operation ID: GetAdministratorAccount

Retrieves information about the Amazon Macie administrator account for an account.

Responses

200 GetAdministratorAccountResponse (p. 18)The request succeeded.

Schemas

Response bodies

GetAdministratorAccountResponse schema

{

(26)

Schemas

"administrator": { "accountId": "string", "relationshipStatus": enum, "invitationId": "string", "invitedAt": "string"

} }

ValidationException schema

}

ServiceQuotaExceededException schema

}

AccessDeniedException schema

}

ResourceNotFoundException schema

}

ConﬂictException schema

}

ThrottlingException schema

}

InternalServerException schema

}

(27)

Properties

AccessDeniedException

message

ConﬂictException

message

GetAdministratorAccountResponse

Provides information about the Amazon Macie administrator account for an account. If the accounts are associated by a Macie membership invitation, the response also provides information about that invitation.

administrator

The AWS account ID for the administrator account. If the accounts are associated by an Amazon Macie membership invitation, this object also provides details about the invitation that was sent to establish the relationship between the accounts.

Type: Invitation (p. 20) Required: False

InternalServerException

message

Invitation

Provides information about an Amazon Macie membership invitation.

(28)

Properties

accountId

The AWS account ID for the account that sent the invitation.

relationshipStatus

The status of the relationship between the account that sent the invitation and the account that received the invitation.

Type: RelationshipStatus (p. 21) Required: False

invitationId

The unique identiﬁer for the invitation.

invitedAt

The date and time, in UTC and extended ISO 8601 format, when the invitation was sent.

Type: string Required: False Format: date-time

RelationshipStatus

The current status of the relationship between an account and an associated Amazon Macie administrator account. Possible values are:

Enabled Paused Invited Created Removed Resigned

EmailVerificationInProgress EmailVerificationFailed RegionDisabled

AccountSuspended

ResourceNotFoundException

message

Type: string

(29)

See also

Required: False

ServiceQuotaExceededException

message

ThrottlingException

message

ValidationException

message

GetAdministratorAccount

• AWS SDK for C++

• AWS SDK for Go

(30)

Administrator Disassociation

The Administrator Disassociation resource provides access to the association between your Amazon Macie account and its Macie administrator account. If you joined an organization by accepting a Macie membership invitation, you can use this resource to disassociate your Macie account from its current Macie administrator account.

If you're the Macie administrator for an organization and you want to disassociate (remove) a member account from the organization, use the Member Disassociation (p. 317) resource instead of this resource.

URI

/administrator/disassociate

HTTP methods

POST

Operation ID: DisassociateFromAdministratorAccount

Disassociates a member account from its Amazon Macie administrator account.

Responses

(31)

Schemas

Response bodies

Empty Schema schema

{}

ValidationException schema

}

ServiceQuotaExceededException schema

}

AccessDeniedException schema

{

"message": "string"

}

ResourceNotFoundException schema

}

ConﬂictException schema

}

ThrottlingException schema

{

(32)

Properties

"message": "string"

}

InternalServerException schema

}

Properties

AccessDeniedException

message

ConﬂictException

message

Empty

InternalServerException

message

ResourceNotFoundException

(33)

See also

message

ServiceQuotaExceededException

message

ThrottlingException

message

ValidationException

message

DisassociateFromAdministratorAccount

• AWS SDK for C++

• AWS SDK for Go

(34)

AWS Organizations - Macie Administrator

The Macie Administrator resource for AWS Organizations provides settings for designating the delegated Amazon Macie administrator account for an organization in AWS Organizations. AWS Organizations is a global account management service that enables AWS administrators to consolidate and centrally manage multiple AWS accounts. For more information about this service, see the AWS Organizations User Guide. For information about integrating Macie with AWS Organizations, see Managing Amazon Macie accounts with AWS Organizations in the Amazon Macie User Guide.

If you're a user of the AWS Organizations management account for an organization, you can use this resource to designate the delegated Macie administrator account for your organization. You can also use this resource to retrieve information about and change that designation. Note that an organization can have only one delegated Macie administrator account at a time. To use this resource, you must be a user of the AWS Organizations management account for your organization.

URI

/admin

HTTP methods

GET

Operation ID: ListOrganizationAdminAccounts

Retrieves information about the delegated Amazon Macie administrator account for an organization in AWS Organizations.

Query parameters

Name Type Required Description

nextToken String False The nextToken string

that speciﬁes which page of results to return in a paginated response.

maxResults String False The maximum number

of items to include in each page of a paginated response.

Responses

200 ListOrganizationAdminAccountsResponse (p. 30)The request succeeded.

(35)

HTTP methods

POST

Operation ID: EnableOrganizationAdminAccount

Designates an account as the delegated Amazon Macie administrator account for an organization in AWS Organizations.

Responses

(36)

HTTP methods

DELETE

Operation ID: DisableOrganizationAdminAccount

Disables an account as the delegated Amazon Macie administrator account for an organization in AWS Organizations.

Query parameters

Name Type Required Description

adminAccountId String True The AWS account ID of

the delegated Amazon Macie administrator account.

Responses

(37)

Schemas

Request bodies

POST schema

{

"clientToken": "string", "adminAccountId": "string"

}

Response bodies

ListOrganizationAdminAccountsResponse schema

{ "nextToken": "string", "adminAccounts": [ {

"accountId": "string", "status": enum

} ]}

Empty Schema schema

{}

ValidationException schema

}

ServiceQuotaExceededException schema

{

"message": "string"

}

(38)

Properties

AccessDeniedException schema

}

ResourceNotFoundException schema

}

ConﬂictException schema

{

"message": "string"

}

ThrottlingException schema

{

"message": "string"

}

InternalServerException schema

}

Properties

AccessDeniedException

message

AdminAccount

Provides information about the delegated Amazon Macie administrator account for an organization in AWS Organizations.

accountId

The AWS account ID for the account.

(39)

Properties

status

The current status of the account as the delegated Amazon Macie administrator account for the organization.

Type: AdminStatus (p. 32) Required: False

AdminStatus

The current status of an account as the delegated Amazon Macie administrator account for an organization in AWS Organizations. Possible values are:

ENABLED

DISABLING_IN_PROGRESS

ConﬂictException

message

Empty

EnableOrganizationAdminAccountRequest

Speciﬁes an account to designate as the delegated Amazon Macie administrator account for an

organization in AWS Organizations. To submit this request, you must be a user of the AWS Organizations management account.

clientToken

A unique, case-sensitive token that you provide to ensure the idempotency of the request.

adminAccountId

The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization.

Type: string Required: True

(40)

Properties

InternalServerException

message

ListOrganizationAdminAccountsResponse

Provides information about the delegated Amazon Macie administrator accounts for an organization in AWS Organizations.

nextToken

The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

adminAccounts

An array of objects, one for each delegated Amazon Macie administrator account for the organization.

Only one of these accounts can have a status of ENABLED.

Type: Array of type AdminAccount (p. 31) Required: False

ResourceNotFoundException

message

ServiceQuotaExceededException

message

(41)

See also

ThrottlingException

message

ValidationException

message

ListOrganizationAdminAccounts

• AWS SDK for C++

• AWS SDK for Go

EnableOrganizationAdminAccount

• AWS SDK for C++

• AWS SDK for Go

(42)

AWS Organizations - Macie Conﬁguration

DisableOrganizationAdminAccount

• AWS SDK for C++

• AWS SDK for Go

AWS Organizations - Macie Conﬁguration

The Macie Conﬁguration resource for AWS Organizations provides access to the Amazon Macie

conﬁguration settings for an organization in AWS Organizations. AWS Organizations is a global account management service that enables AWS administrators to consolidate and centrally manage multiple AWS accounts. For more information about this service, see the AWS Organizations User Guide. For information about integrating Macie with AWS Organizations, see Managing Amazon Macie accounts with AWS Organizations in the Amazon Macie User Guide.

If you're the delegated Macie administrator for an organization in AWS Organizations, you can use this resource to retrieve information about and update the Macie conﬁguration settings for your organization. This includes the setting that determines whether Macie is enabled automatically for new accounts when the accounts are added to your organization in AWS Organizations. To use this resource, you must be the delegated Macie administrator for an organization in AWS Organizations.

URI

/admin/configuration

HTTP methods

GET

Operation ID: DescribeOrganizationConfiguration

Retrieves the Amazon Macie conﬁguration settings for an organization in AWS Organizations.

Responses

200 DescribeOrganizationConfigurationResponse (p. 37)The request succeeded.

(43)

HTTP methods

PATCH

Operation ID: UpdateOrganizationConfiguration

Updates the Amazon Macie conﬁguration settings for an organization in AWS Organizations.

Responses

(44)

Schemas

Request bodies

PATCH schema

{ "autoEnable": boolean }

Response bodies

DescribeOrganizationConﬁgurationResponse schema

{ "autoEnable": boolean,

"maxAccountLimitReached": boolean }

Empty Schema schema

{}

ValidationException schema

}

ServiceQuotaExceededException schema

{

"message": "string"

}

AccessDeniedException schema

}

(45)

Properties

ResourceNotFoundException schema

{

"message": "string"

}

ConﬂictException schema

}

ThrottlingException schema

}

InternalServerException schema

{

"message": "string"

}

Properties

AccessDeniedException

message

ConﬂictException

message

DescribeOrganizationConﬁgurationResponse

Provides information about the Amazon Macie conﬁguration settings for an organization in AWS Organizations.

(46)

Properties

autoEnable

Speciﬁes whether Amazon Macie is enabled automatically for accounts that are added to the organization.

Type: boolean Required: False

maxAccountLimitReached

Speciﬁes whether the maximum number of Amazon Macie member accounts are part of the organization.

Type: boolean Required: False

Empty

InternalServerException

message

ResourceNotFoundException

message

ServiceQuotaExceededException

message

(47)

See also

ThrottlingException

message

UpdateOrganizationConﬁgurationRequest

Speciﬁes whether to enable Amazon Macie automatically for accounts that are added to an organization in AWS Organizations.

autoEnable

Speciﬁes whether to enable Amazon Macie automatically for an account when the account is added to the organization in AWS Organizations.

Type: boolean Required: True

ValidationException

message

DescribeOrganizationConﬁguration

• AWS SDK for C++

• AWS SDK for Go

Amazon Macie

Amazon Macie

REST API Reference

Amazon Macie: REST API Reference

Table of Contents

Welcome

Finding regional endpoints

Managing multiple accounts

Signing requests

Logging API calls

Operations

Resources

Account Administration

URI

HTTP methods

GET

Responses

POST

Responses

DELETE

Responses

PATCH

Responses

Schemas

Request bodies

POST schema

PATCH schema

Response bodies

GetMacieSessionResponse schema

Empty Schema schema

ValidationException schema

ServiceQuotaExceededException schema

AccessDeniedException schema

ResourceNotFoundException schema

ConﬂictException schema

ThrottlingException schema

InternalServerException schema

Properties

AccessDeniedException

message

ConﬂictException

message

Empty

EnableMacieRequest

clientToken

ﬁndingPublishingFrequency

status

FindingPublishingFrequency

GetMacieSessionResponse

createdAt

serviceRole

ﬁndingPublishingFrequency

status

updatedAt

InternalServerException

message

MacieStatus

ResourceNotFoundException

message

ServiceQuotaExceededException

message

ThrottlingException

message

UpdateMacieSessionRequest

ﬁndingPublishingFrequency

status

ValidationException

message

See also

GetMacieSession

EnableMacie

DisableMacie

UpdateMacieSession

Administrator

URI

HTTP methods

GET

Responses

Schemas

Response bodies