# Performing automated sensitive data discovery
<a name="discovery-asdd"></a>

For broad visibility into where sensitive data might reside in your Amazon Simple Storage Service (Amazon S3) data estate, configure Amazon Macie to perform automated sensitive data discovery for your account or organization. With automated sensitive data discovery, Macie continually evaluates your S3 bucket inventory and uses sampling techniques to identify and select representative S3 objects in your buckets. Macie then retrieves and analyzes the selected objects, inspecting them for sensitive data.

By default, Macie selects and analyzes objects from all of your S3 general purpose buckets. If you're the Macie administrator for an organization, this includes objects in buckets that your member accounts own. You can adjust the scope of the analyses by excluding specific buckets. For example, you might exclude buckets that typically store AWS logging data. If you're a Macie administrator, an additional option is to enable or disable automated sensitive data discovery for individual accounts in your organization on a case-by-case basis.

You can tailor the analyses to focus on specific types of sensitive data. By default, Macie analyzes S3 objects by using the set of managed data identifiers that we recommend for automated sensitive data discovery. To tailor the analyses, you can configure Macie to use specific [managed data identifiers](managed-data-identifiers.md) that Macie provides, [custom data identifiers](custom-data-identifiers.md) that you define, or a combination of the two. You can also refine the analyses by configuring Macie to use [allow lists](allow-lists.md) that you specify.

As the analysis progresses each day, Macie produces records of the sensitive data that it finds and the analysis that it performs: *sensitive data findings*, which report sensitive data that Macie finds in individual S3 objects, and *sensitive data discovery results*, which log details about the analysis of individual S3 objects. Macie also updates statistics, inventory data, and other information that it provides about your Amazon S3 data. For example, an interactive heat map on the console provides a visual representation of data sensitivity across your data estate:

![\[The S3 buckets map. It shows different colored squares, one for each S3 bucket, grouped by account.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-s3-map-small.png)


These features are designed to help you evaluate data sensitivity across your Amazon S3 data estate, and drill down to investigate and assess individual accounts, buckets, and objects. They can also help you determine where to perform deeper, more immediate analysis by [running sensitive data discovery jobs](discovery-jobs.md). Combined with information that Macie provides about the security and privacy of your Amazon S3 data, you can also use these features to identify cases where immediate remediation might be necessary—for example, a publicly accessible bucket that Macie found sensitive data in.

To configure and manage automated sensitive data discovery, you must be the Macie administrator for an organization or have a standalone Macie account.

**Topics**
+ [How automated sensitive data discovery works](discovery-asdd-how-it-works.md)
+ [Configuring automated sensitive data discovery](discovery-asdd-account-manage.md)
+ [Reviewing automated sensitive data discovery results](discovery-asdd-results-s3.md)
+ [Assessing automated sensitive data discovery coverage](discovery-coverage.md)
+ [Adjusting sensitivity scores for S3 buckets](discovery-asdd-s3bucket-manage.md)
+ [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md)
+ [Default settings for automated sensitive data discovery](discovery-asdd-settings-defaults.md)

# How automated sensitive data discovery works
<a name="discovery-asdd-how-it-works"></a>

When you enable Amazon Macie for your AWS account, Macie creates an AWS Identity and Access Management (IAM) [service-linked role](service-linked-roles.md) for your account in the current AWS Region. The permissions policy for this role allows Macie to call other AWS services and monitor AWS resources on your behalf. By using this role, Macie generates and maintains an inventory of your Amazon Simple Storage Service (Amazon S3) general purpose buckets in the Region. The inventory includes information about each of your S3 buckets and objects in the buckets. If you're the Macie administrator for an organization, your inventory includes information about buckets that your member accounts own. For more information, see [Managing multiple accounts](macie-accounts.md).

If you enable automated sensitive data discovery, Macie evaluates your inventory data on a daily basis to identify S3 objects that are eligible for automated discovery. As part of the evaluation, Macie also selects a sampling of representative objects to analyze. Macie then retrieves and analyzes the latest version of each selected object, inspecting it for sensitive data.

As the analysis progresses each day, Macie updates statistics, inventory data, and other information that it provides about your Amazon S3 data. Macie also produces records of the sensitive data it finds and the analysis that it performs. The resulting data provides insight into where Macie found sensitive data in your Amazon S3 data estate, which can span all the S3 general purpose buckets for your account. The data can help you assess the security and privacy of your Amazon S3 data, determine where to perform a deeper investigation, and identify cases where remediation is necessary.

For a brief demonstration of how automated sensitive data discovery works, watch the following video:




To configure and manage automated sensitive data discovery, you must be the Macie administrator for an organization or have a standalone Macie account. If your account is part of an organization, only the Macie administrator for your organization can enable or disable automated discovery for accounts in the organization. In addition, only the Macie administrator can configure and manage automated discovery settings for the accounts. This includes settings that define the scope and nature of the analyses that Macie performs. If you have a member account in an organization, contact your Macie administrator to learn about the settings for your account and organization.

**Topics**
+ [Key components](#discovery-asdd-how-it-works-components)
+ [Considerations](#discovery-asdd-how-it-works-considerations)

## Key components
<a name="discovery-asdd-how-it-works-components"></a>

Amazon Macie uses a combination of features and techniques to perform automated sensitive data discovery. These work together with features that Macie provides to help you [monitor your Amazon S3 data for security and access control](monitoring-s3-how-it-works.md).

**Selecting S3 objects to analyze**  
On a daily basis, Macie evaluates your Amazon S3 inventory data to identify S3 objects that are eligible for analysis by automated sensitive data discovery. If you're the Macie administrator for an organization, by default the evaluation includes data for S3 buckets that your member accounts own.  
As part of the evaluation, Macie uses sampling techniques to select representative S3 objects to analyze. The techniques define groups of objects that have similar metadata and are likely to have similar content. The groups are based on dimensions such as bucket name, prefix, storage class, file name extension, and last modified date. Macie then selects a representative set of samples from each group, retrieves the latest version of each selected object from Amazon S3, and analyzes each selected object to determine whether the object contains sensitive data. When the analysis is complete, Macie discards its copy of the object.  
The sampling strategy prioritizes distributed analyses. In general, it uses a breadth-first approach to your Amazon S3 data estate. Each day, a representative set of S3 objects are selected from as many of your general purpose buckets as possible based on the total storage size of all the classifiable objects in your Amazon S3 data estate. For example, if Macie has already analyzed and found sensitive data in objects in one bucket and hasn't yet analyzed objects in another bucket, the latter bucket is a higher priority for analysis. With this approach, you gain broad insight into the sensitivity of your Amazon S3 data more quickly. Depending on the size of your data estate, analysis results can begin to appear within 48 hours.  
The sampling strategy also prioritizes analysis of different kinds of S3 objects and objects that were recently created or changed. Any single object sample isn’t guaranteed to be conclusive. Therefore, analysis of a diverse set of objects can yield better insight into the types and amount of sensitive data that an S3 bucket might contain. In addition, prioritizing new or recently changed objects helps the analysis adapt to changes to your bucket inventory. For example, if objects are created or changed after a previous analysis, those objects are a higher priority for subsequent analysis. Conversely, if an object was previously analyzed and hasn't changed since that analysis, Macie doesn't analyze the object again. This approach helps you establish sensitivity baselines for individual S3 buckets. Then, as continual, incremental analyses progress for your account, your sensitivity assessments of individual buckets can become increasingly deeper and detailed at a predictable rate.

**Defining the scope of the analyses**  
By default, Macie includes all the S3 general purpose buckets for your account when it evaluates your inventory data and selects S3 objects to analyze. If you're the Macie administrator for an organization, this includes buckets that your member accounts own.  
You can adjust the scope of the analyses by excluding specific S3 buckets from automated sensitive data discovery. For example, you might want to exclude buckets that typically store AWS logging data, such as AWS CloudTrail event logs. To exclude a bucket, you can change the automated discovery settings for your account or the bucket. If you do this, Macie starts excluding the bucket when the next daily evaluation and analysis cycle starts. You can exclude as many as 1,000 buckets from analyses. If you exclude an S3 bucket, you can include it again later. To do this, change the settings for your account or the bucket again. Macie then starts including the bucket when the next daily evaluation and analysis cycle starts.  
If you're the Macie administrator for an organization, you can also enable or disable automated sensitive data discovery for individual accounts in your organization. If you disable automated discovery for an account, Macie excludes all the S3 buckets that the account owns. If you subsequently re-enable automated discovery for the account, Macie starts including the buckets again.

**Determining which types of sensitive data to detect and report**  
By default, Macie inspects S3 objects by using the set of managed data identifiers that we recommend for automated sensitive data discovery. For a list of these managed data identifiers, see [Default settings for automated sensitive data discovery](discovery-asdd-settings-defaults.md).  
You can tailor the analyses to focus on specific types of sensitive data. To do this, change your automated discovery settings in any of the following ways:  
+ **Add or remove managed data identifiers** – A *managed data identifier* is a set of built-in criteria and techniques that are designed to detect a specific type of sensitive data, such as credit card numbers, AWS secret access keys, or passport numbers for a particular country or region. For more information, see [Using managed data identifiers](managed-data-identifiers.md).
+ **Add or remove custom data identifiers** – A *custom data identifier* is a set of criteria that you define to detect sensitive data. With custom data identifiers, you can detect sensitive data that reflects your organization's particular scenarios, intellectual property, or proprietary data. For example, you can detect employee IDs, customer account numbers, or internal data classifications. For more information, see [Building custom data identifiers](custom-data-identifiers.md).
+ **Add or remove allow lists** – In Macie, an allow list specifies text or a text pattern that you want Macie to ignore in S3 objects. These are typically sensitive data exceptions for your particular scenarios or environment, such as public names or phone numbers for your organization, or sample data that your organization uses for testing. For more information, see [Defining sensitive data exceptions with allow lists](allow-lists.md).
If you change a setting, Macie applies your change when the next daily analysis cycle starts. If you're the Macie administrator for an organization, Macie uses the settings for your account when it analyzes S3 objects for other accounts in your organization.  
You can also configure bucket-level settings that determine whether specific types of sensitive data are included in assessments of a bucket's sensitivity. To learn how, see [Adjusting sensitivity scores for S3 buckets](discovery-asdd-s3bucket-manage.md).

**Calculating sensitivity scores**  
By default, Macie automatically calculates a sensitivity score for each S3 general purpose bucket for your account. If you're the Macie administrator for an organization, this includes buckets that your member accounts own.  
In Macie, a *sensitivity score* is a quantitative measure of the intersection of two primary dimensions: the amount of sensitive data that Macie has found in a bucket, and the amount of data that Macie has analyzed in a bucket. A bucket's sensitivity score determines which sensitivity label Macie assigns to the bucket. A *sensitivity label* is a qualitative representation of a bucket's sensitivity score—for example, *Sensitive*, *Not sensitive*, and *Not yet analyzed*. For details about the range of sensitivity scores and labels that Macie defines, see [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md).  
An S3 bucket's sensitivity score and label don't imply or otherwise indicate the criticality or importance that the bucket or the bucket's objects might have for you or your organization. Instead, they're intended to provide reference points that can help you identify and monitor potential security risks.
When you enable automated sensitive data discovery for the first time, Macie automatically assigns a sensitivity score of *50* and the *Not yet analyzed* label to each S3 bucket. The exception is empty buckets. An *empty bucket* is a bucket that doesn't store any objects or all the bucket's objects contain zero (0) bytes of data. If this is the case for a bucket, Macie assigns a score of *1* to the bucket and it assigns the *Not sensitive* label to the bucket.  
As automated sensitive data discovery progresses, Macie updates sensitivity scores and labels to reflect the results of its analyses. For example:  
+ If Macie doesn't find sensitive data in an object, Macie decreases the bucket's sensitivity score and updates the bucket's sensitivity label as necessary.
+ If Macie finds sensitive data in an object, Macie increases the bucket's sensitivity score and updates the bucket's sensitivity label as necessary.
+ If Macie finds sensitive data in an object that's subsequently changed, Macie removes sensitive data detections for the object from the bucket's sensitivity score and updates the bucket's sensitivity label as necessary.
+ If Macie finds sensitive data in an object that's subsequently deleted, Macie removes sensitive data detections for the object from the bucket's sensitivity score and updates the bucket's sensitivity label as necessary.
You can adjust the sensitivity scoring settings for individual S3 buckets by including or excluding specific types of sensitive data from a bucket's score. You can also override a bucket's calculated score by manually assigning the maximum score (*100*) to the bucket. If you assign the maximum score, the bucket's label is *Sensitive*. For more information, see [Adjusting sensitivity scores for S3 buckets](discovery-asdd-s3bucket-manage.md).

**Generating metadata, statistics, and other types of results**  
When you enable automated sensitive data discovery, Macie generates and begins maintaining additional inventory data, statistics, and other information about the S3 general purpose buckets for your account. If you're the Macie administrator for an organization, by default this includes buckets that your member accounts own.  
The additional information captures the results of the automated sensitive data discovery activities that Macie has performed thus far. It also supplements other information that Macie provides about your Amazon S3 data, such as the public access and shared access settings for individual buckets. The additional information includes:  
+ An interactive, visual representation of data sensitivity across your Amazon S3 data estate.
+ Aggregated data sensitivity statistics, such as the total number of buckets that Macie has found sensitive data in and how many of those buckets are publicly accessible.
+ Bucket-level details that indicate the current status of the analyses. For example, a list of objects that Macie has analyzed in a bucket, the types of sensitive data that Macie has found in a bucket, and the number of occurrences of each type of sensitive data that Macie found.
The information also includes statistics and details that can help you assess and monitor coverage of your Amazon S3 data. You can check the status of the analyses for your data estate overall and for individual S3 buckets. You can also identify issues that prevented Macie from analyzing objects in specific buckets. If you remediate the issues, you can increase coverage of your Amazon S3 data during subsequent analysis cycles. For more information, see [Assessing automated sensitive data discovery coverage](discovery-coverage.md).  
Macie automatically recalculates and updates this information while it performs automated sensitive data discovery. For example, if Macie finds sensitive data in an S3 object that's subsequently changed or deleted, Macie updates the applicable bucket's metadata: removes the object from the list of analyzed objects; removes occurrences of sensitive data that Macie found in the object; recalculates the sensitivity score, if the score is calculated automatically; and, updates the sensitivity label as necessary to reflect the new score.  
In addition to metadata and statistics, Macie produces records of the sensitive data it finds and the analysis that it performs: *sensitive data findings*, which report sensitive data that Macie finds in individual S3 objects, and *sensitive data discovery results*, which log details about the analysis of individual S3 objects.  
For more information, see [Reviewing automated sensitive data discovery results](discovery-asdd-results-s3.md).

## Considerations
<a name="discovery-asdd-how-it-works-considerations"></a>

As you configure and use Amazon Macie to perform automated sensitive data discovery for your Amazon S3 data, keep the following in mind:
+ Your automated discovery settings apply only to the current AWS Region. Consequently, the resulting analyses and data apply only to S3 general purpose buckets and objects in the current Region. To perform automated discovery and access the resulting data in additional Regions, enable and configure automated discovery in each additional Region.
+ If you're the Macie administrator for an organization:
  + You can perform automated discovery for a member account only if Macie is enabled for the account in the current Region. In addition, you must enable automated discovery for the account in that Region. Members can't enable or disable automated discovery for their own accounts.
  + If you enable automated discovery for a member account, Macie uses the automated discovery settings for your administrator account when it analyzes data for the member account. The applicable settings are: the list of S3 buckets to exclude from analyses, and the managed data identifiers, custom data identifiers, and allow lists to use when analyzing S3 objects. Members can't review or change these settings.
  + Members can't access automated discovery settings for individual S3 buckets that they own. For example, a member can't review or adjust the sensitivity scoring settings for one of their buckets. Only the Macie administrator can access these settings.
  + Members have read access to sensitive data discovery statistics and other results that Macie directly provides for their S3 buckets. For example, a member can use Macie to review sensitivity scores and coverage data for their S3 buckets. The exception is sensitive data findings. Only the Macie administrator has direct access to findings that automated discovery produces.
+ If an S3 bucket's permissions settings prevent Macie from accessing or retrieving information about the bucket or the bucket’s objects, Macie can't perform automated discovery for the bucket. Macie can only provide a subset of information about the bucket, such as the account ID for the AWS account that owns the bucket, the bucket's name, and when Macie most recently retrieved bucket and object metadata for the bucket as part of the [daily refresh cycle](monitoring-s3-how-it-works.md#monitoring-s3-how-it-works-data-refresh). In your bucket inventory, the sensitivity score for these buckets is *50* and their sensitivity label is *Not yet analyzed*. To identify S3 buckets where this is the case, you can refer to coverage data. For more information, see [Assessing automated sensitive data discovery coverage](discovery-coverage.md).
+ To be eligible for selection and analysis, an S3 object must be stored in a general purpose bucket and it must be *classifiable*. A *classifiable* object uses a supported Amazon S3 storage class and it has a file name extension for a supported file or storage format. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).
+ If an S3 object is encrypted, Macie can analyze it only if it's encrypted with a key that Macie can access and is allowed to use. For more information, see [Analyzing encrypted S3 objects](discovery-supported-encryption-types.md). To identify cases where encryption settings prevented Macie from analyzing one or more objects in a bucket, you can refer to coverage data. For more information, see [Assessing automated sensitive data discovery coverage](discovery-coverage.md).

# Configuring automated sensitive data discovery
<a name="discovery-asdd-account-manage"></a>

To gain broad visibility into where sensitive data might reside in your Amazon Simple Storage Service (Amazon S3) data estate, enable and configure automated sensitive data discovery for your account or organization. Amazon Macie then evaluates your S3 bucket inventory on a daily basis and uses sampling techniques to identify and select representative S3 objects from your buckets. Macie retrieves and analyzes the selected objects, inspecting them for sensitive data. If you're the Macie administrator for an organization, by default this includes objects in S3 buckets that your member accounts own. 

As the analysis progresses each day, Macie produces records of the sensitive data it finds and the analysis that it performs. Macie also updates statistics, inventory data, and other information that it provides about your Amazon S3 data. The resulting data provides insight into where Macie found sensitive data in your Amazon S3 data estate, which can span all the S3 buckets for your account or organization. For more information, see [How automated sensitive data discovery works](discovery-asdd-how-it-works.md).

If you have a standalone Macie account or you're the Macie administrator for an organization, you can configure and manage automated sensitive data discovery for your account or organization. This includes enabling and disabling automated discovery, and configuring settings that define the scope and nature of the analyses that Macie performs. If you have a member account in an organization, contact your Macie administrator to learn about the settings for your account and organization.

**Topics**
+ [Prerequisites for configuring automated sensitive data discovery](discovery-asdd-account-configure-prereqs.md)
+ [Enabling automated sensitive data discovery](discovery-asdd-account-enable.md)
+ [Configuring settings for automated sensitive data discovery](discovery-asdd-account-configure.md)
+ [Disabling automated sensitive data discovery](discovery-asdd-account-disable.md)

# Prerequisites for configuring automated sensitive data discovery
<a name="discovery-asdd-account-configure-prereqs"></a>

Before you enable or configure settings for automated sensitive data discovery, complete the following tasks. This helps ensure that you have the resources and permissions that you need.

To complete these tasks, you must be the Amazon Macie administrator for an organization or have a standalone Macie account. If your account is part of an organization, only the Macie administrator for your organization can enable or disable automated sensitive data discovery for accounts in the organization. In addition, only the Macie administrator can configure automated discovery settings for the accounts.

**Topics**
+ [Step 1: Configure a repository for sensitive data discovery results](#discovery-asdd-account-configure-prereqs-sddr)
+ [Step 2: Verify your permissions](#discovery-asdd-account-configure-prereqs-perms)
+ [Next steps](#discovery-asdd-account-configure-prereqs-next)

## Step 1: Configure a repository for sensitive data discovery results
<a name="discovery-asdd-account-configure-prereqs-sddr"></a>

When Amazon Macie performs automated sensitive data discovery, it creates an analysis record for each Amazon Simple Storage Service (Amazon S3) object that it selects for analysis. These records, referred to as *sensitive data discovery results*, log details about the analysis of individual S3 objects. This includes objects that Macie doesn't find sensitive data in, and objects that Macie can't analyze due to errors or issues such as permissions settings. If Macie finds sensitive data in an object, the sensitive data discovery result includes information about the sensitive data that Macie found. Sensitive data discovery results provide you with analysis records that can be helpful for data privacy and protection audits or investigations.

Macie stores your sensitive data discovery results for only 90 days. To access the results and enable long-term storage and retention of them, configure Macie to store the results in an S3 bucket. The bucket can serve as a definitive, long-term repository for all of your sensitive data discovery results. If you're the Macie administrator for an organization, this includes sensitive data discovery results for member accounts that you enable automated sensitive data discovery for.

To verify that you configured this repository, choose **Discovery results** in the navigation pane on the Amazon Macie console. If you prefer to do this programmatically, use the [GetClassificationExportConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/classification-export-configuration.html) operation of the Amazon Macie API. To learn more about sensitive data discovery results and how to configure this repository, see [Storing and retaining sensitive data discovery results](discovery-results-repository-s3.md).

If you configured the repository, Macie creates a folder named `automated-sensitive-data-discovery` in the repository when you enable automated sensitive data discovery for the first time. This folder stores sensitive data discovery results that Macie creates while performing automated discovery for your account or organization.

If you use Macie in multiple AWS Regions, verify that you configured the repository for each of those Regions.

## Step 2: Verify your permissions
<a name="discovery-asdd-account-configure-prereqs-perms"></a>

To verify your permissions, use AWS Identity and Access Management (IAM) to review the IAM policies that are attached to your IAM identity. Then compare the information in those policies to the following list of actions that you must be allowed to perform:
+ `macie2:GetMacieSession`
+ `macie2:UpdateAutomatedDiscoveryConfiguration`
+ `macie2:ListClassificationScopes`
+ `macie2:UpdateClassificationScope`
+ `macie2:ListSensitivityInspectionTemplates`
+ `macie2:UpdateSensitivityInspectionTemplate`

The first action allows you to access your Amazon Macie account. The second action allows you to enable or disable automated sensitive data discovery for your account or organization. For an organization, it also allows you to enable automated discovery automatically for accounts in your organization. The remaining actions allow you to identify and change the configuration settings.

If you plan to review or change the configuration settings by using the Amazon Macie console, you must also be allowed to perform the following actions:
+ `macie2:GetAutomatedDiscoveryConfiguration`
+ `macie2:GetClassificationScope`
+ `macie2:GetSensitivityInspectionTemplate`

These actions allow you to retrieve your current configuration settings and the status of automated sensitive data discovery for your account or organization. Permission to perform these actions is optional if you plan to change the configuration settings programmatically.

If you're the Macie administrator for an organization, you must also be allowed to perform the following actions:
+ `macie2:ListAutomatedDiscoveryAccounts`
+ `macie2:BatchUpdateAutomatedDiscoveryAccounts`

The first action allows you to retrieve the status of automated sensitive data discovery for individual accounts in your organization. The second action allows you to enable or disable automated discovery for individual accounts in your organization.

If you're not allowed to perform the requisite actions, ask your AWS administrator for assistance.

## Next steps
<a name="discovery-asdd-account-configure-prereqs-next"></a>

After you complete the preceding tasks, you're ready to enable and configure the settings for your account or organization:
+ [Enabling automated sensitive data discovery](discovery-asdd-account-enable.md)
+ [Configuring settings for automated sensitive data discovery](discovery-asdd-account-configure.md)

 

# Enabling automated sensitive data discovery
<a name="discovery-asdd-account-enable"></a>

When you enable automated sensitive data discovery, Amazon Macie begins evaluating your Amazon Simple Storage Service (Amazon S3) inventory data and performing other automated discovery activities for your account in the current AWS Region. If you're the Macie administrator for an organization, by default the evaluation and activities include S3 buckets that your member accounts own. Depending on the size of your Amazon S3 data estate, statistics and other results can begin to appear within 48 hours.

After you enable automated sensitive data discovery, you can configure settings that refine the scope and nature of the analyses that Macie performs. These settings specify any S3 buckets to exclude from analyses. They also specify the managed data identifiers, custom data identifiers, and allow lists that you want Macie to use when it analyzes S3 objects. For information about these settings, see [Configuring settings for automated sensitive data discovery](discovery-asdd-account-configure.md). If you're the Macie administrator for an organization, you can also refine the scope of the analyses by enabling or disabling automated sensitive data discovery for individual accounts in your organization on a case-by-case basis.

To enable automated sensitive data discovery, you must be the Macie administrator for an organization or have a standalone Macie account. If you have a member account in an organization, work with your Macie administrator to enable automated sensitive data discovery for your account.

**To enable automated sensitive data discovery**  
If you're the Macie administrator for an organization or you have a standalone Macie account, you can enable automated sensitive data discovery by using the Amazon Macie console or the Amazon Macie API. If you're enabling it for the first time, start by [completing the prerequisite tasks](discovery-asdd-account-configure-prereqs.md). This helps ensure that you have the resources and permissions that you need.

------
#### [ Console ]

Follow these steps to enable automated sensitive data discovery by using the Amazon Macie console.

**To enable automated sensitive data discovery**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to enable automated sensitive data discovery.

1. In the navigation pane, under **Settings**, choose **Automated sensitive data discovery**.

1. If you have a standalone Macie account, choose **Enable** in the **Status** section.

1. If you're the Macie administrator for an organization, choose an option in the **Status** section to specify the accounts to enable automated sensitive data discovery for:
   + To enable it for all the accounts in your organization, choose **Enable**. In the dialog box that appears, choose **My organization**. For an organization in AWS Organizations, select **Enable automatically for new accounts** to also enable it automatically for accounts that subsequently join your organization. When you finish, choose **Enable**.
   + To enable it for only particular member accounts, choose **Manage accounts**. Then, in the table on the **Accounts** page, select the checkbox for each account to enable it for. When you finish, choose **Enable automated sensitive data discovery** on the **Actions** menu.
   + To enable it for only your Macie administrator account, choose **Enable**. In the dialog box that appears, choose **My account** and clear **Enable automatically for new accounts**. When you finish, choose **Enable**.

If you use Macie in multiple Regions and want to enable automated sensitive data discovery in additional Regions, repeat the preceding steps in each additional Region.

To subsequently check or change the status of automated sensitive data discovery for individual accounts in an organization, choose **Accounts** in the navigation pane. On the **Accounts** page, the **Automated sensitive data discovery** field in the table indicates the current status of automated discovery for an account. To change the status for an account, select the checkbox for the account. Then use the **Actions** menu to enable or disable automated discovery for the account.

------
#### [ API ]

To enable automated sensitive data discovery programmatically, you have several options:
+ To enable it for a Macie administrator account, an organization, or a standalone Macie account, use the [UpdateAutomatedDiscoveryConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/automated-discovery-configuration.html) operation. Or, if you're using the AWS Command Line Interface (AWS CLI), run the [update-automated-discovery-configuration](https://docs.aws.amazon.com/cli/latest/reference/macie2/update-automated-discovery-configuration.html) command.
+ To enable it for only particular member accounts in an organization, use the [BatchUpdateAutomatedDiscoveryAccounts](https://docs.aws.amazon.com/macie/latest/APIReference/automated-discovery-accounts.html) operation. Or, if you're using the AWS CLI, run the [batch-update-automated-discovery-accounts](https://docs.aws.amazon.com/cli/latest/reference/macie2/batch-update-automated-discovery-accounts.html) command. To enable automated discovery for a member account, you must first enable it for your administrator account or organization.

Additional options and details vary depending on the type of account that you have.

If you're a Macie administrator, use the **UpdateAutomatedDiscoveryConfiguration** operation or run the **update-automated-discovery-configuration** command to enable automated sensitive data discovery for your account or organization. In your request, specify `ENABLED` for the `status` parameter. For the `autoEnableOrganizationMembers` parameter, specify the accounts to enable it for. If you're using the AWS CLI, specify the accounts by using the `auto-enable-organization-members` parameter. Valid values are:
+ `ALL` (default) – Enable it for all the accounts in your organization. This includes your administrator account, existing member accounts, and accounts that subsequently join your organization.
+ `NEW` – Enable it for your administrator account. Also enable it automatically for accounts that subsequently join your organization. If you previously enabled automated discovery for your organization and you specify this value, automated discovery will continue to be enabled for existing member accounts that it's currently enabled for.
+ `NONE` – Enable it for only your administrator account. Don't enable it automatically for accounts that subsequently join your organization. If you previously enabled automated discovery for your organization and you specify this value, automated discovery will continue to be enabled for existing member accounts that it's currently enabled for.

If you want to selectively enable automated sensitive data discovery for only particular member accounts, specify `NEW` or `NONE`. You can then use the **BatchUpdateAutomatedDiscoveryAccounts** operation or run the **batch-update-automated-discovery-accounts** command to enable automated discovery for the accounts.

If you have a standalone Macie account, use the **UpdateAutomatedDiscoveryConfiguration** operation or run the **update-automated-discovery-configuration** command to enable automated sensitive data discovery for your account. In your request, specify `ENABLED` for the `status` parameter. For the `autoEnableOrganizationMembers` parameter, consider whether you plan to become the Macie administrator for other accounts, and specify the appropriate value. If you specify `NONE`, automated discovery isn't enabled automatically for an account when you become the Macie administrator for the account. If you specify `ALL` or `NEW`, automated discovery is enabled automatically for the account. If you're using the AWS CLI, use the `auto-enable-organization-members` parameter to specify the appropriate value for this setting.

The following examples show how to use the AWS CLI to enable automated sensitive data discovery for one or more accounts in an organization. This first example enables automated discovery for all the accounts in an organization for the first time. It enables automated discovery for the Macie administrator account, all existing member accounts, and any accounts that subsequently join the organization.

```
$ aws macie2 update-automated-discovery-configuration --status ENABLED --auto-enable-organization-members ALL --region us-east-1
```

Where *us-east-1* is the Region in which to enable automated sensitive data discovery for the accounts, the US East (N. Virginia) Region. If the request succeeds, Macie enables automated discovery for the accounts and returns an empty response.

The next example changes the member enablement setting for an organization to `NONE`. With this change, automated sensitive data discovery isn't enabled automatically for accounts that subsequently join the organization. Instead, it's enabled only for the Macie administrator account, and any existing member accounts that it's currently enabled for.

```
$ aws macie2 update-automated-discovery-configuration --status ENABLED --auto-enable-organization-members NONE --region us-east-1
```

Where *us-east-1* is the Region in which to change the setting, the US East (N. Virginia) Region. If the request succeeds, Macie updates the setting and returns an empty response.

The following examples enable automated sensitive data discovery for two member accounts in an organization. The Macie administrator has already enabled automated discovery for the organization. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws macie2 batch-update-automated-discovery-accounts \
--region us-east-1 \
--accounts '[{"accountId":"123456789012","status":"ENABLED"},{"accountId":"111122223333","status":"ENABLED"}]'
```

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

```
C:\> aws macie2 batch-update-automated-discovery-accounts ^
--region us-east-1 ^
--accounts=[{\"accountId\":\"123456789012\",\"status\":\"ENABLED\"},{\"accountId\":\"111122223333\",\"status\":\"ENABLED\"}]
```

Where:
+ *us-east-1* is the Region in which to enable automated sensitive data discovery for the specified accounts, the US East (N. Virginia) Region.
+ *123456789012* and *111122223333* are the account IDs for the accounts to enable automated sensitive data discovery for.

If the request succeeds for all specified accounts, Macie returns an empty `errors` array. If the request fails for some accounts, the array specifies the error that occurred for each affected account. For example:

```
"errors": [
    {
        "accountId": "123456789012",
        "errorCode": "ACCOUNT_PAUSED"
    }
]
```

In the preceding response, the request failed for the specified account (`123456789012`) because Macie is currently suspended for the account. To address this error, the Macie administrator must first enable Macie for the account.

If the request fails for all accounts, you receive a message that describes the error that occurred. 

------

# Configuring settings for automated sensitive data discovery
<a name="discovery-asdd-account-configure"></a>

If you enable automated sensitive data discovery for your account or organization, you can adjust your automated discovery settings to refine the analyses that Amazon Macie performs. The settings specify Amazon Simple Storage Service (Amazon S3) buckets to exclude from analyses. They also specify the types and occurrences of sensitive data to detect and report—the managed data identifiers, custom data identifiers, and allow lists to use when analyzing S3 objects.

By default, Macie performs automated sensitive data discovery for all the S3 general purpose buckets for your account. If you're the Macie administrator for an organization, this includes buckets that your member accounts own. You can exclude specific buckets from the analyses. For example, you might exclude buckets that typically store AWS logging data, such as AWS CloudTrail event logs. If you exclude a bucket, you can include it again later. 

In addition, Macie analyzes S3 objects by using only the set of managed data identifiers that we recommend for automated sensitive data discovery. Macie doesn't use custom data identifiers or allow lists that you defined. To customize the analyses, you can add or remove specific managed data identifiers, custom data identifiers, and allow lists.

If you change a setting, Macie applies your change when the next evaluation and analysis cycle starts, typically within 24 hours. In addition, your change applies only to the current AWS Region. To make the same change in additional Regions, repeat the applicable steps in each additional Region.

**Topics**
+ [Configuration options for organizations](#discovery-asdd-configure-options-orgs)
+ [Excluding or including S3 buckets](#discovery-asdd-account-configure-s3buckets)
+ [Adding or removing managed data identifiers](#discovery-asdd-account-configure-mdis)
+ [Adding or removing custom data identifiers](#discovery-asdd-account-configure-cdis)
+ [Adding or removing allow lists](#discovery-asdd-account-configure-als)

**Note**  
To configure settings for automated sensitive data discovery, you must be the Macie administrator for an organization or have a standalone Macie account. If your account is part of an organization, only the Macie administrator for your organization can configure and manage the settings for accounts in your organization. If you have a member account, contact your Macie administrator to learn about the settings for your account and organization.

## Configuration options for organizations
<a name="discovery-asdd-configure-options-orgs"></a>

If an account is part of an organization that centrally manages multiple Amazon Macie accounts, the Macie administrator for the organization configures and manages automated sensitive data discovery for accounts in the organization. This includes settings that define the scope and nature of the analyses that Macie performs for the accounts. Members can't access these settings for their own accounts.

If you're the Macie administrator for an organization, you can define the scope of the analyses in several ways:
+ **Automatically enable automated sensitive data discovery for accounts** – When you enable automated sensitive data discovery, you specify whether to enable it for all existing accounts and new member accounts, only for new member accounts, or no member accounts. If you enable it for new member accounts, it's enabled automatically for any account that subsequently joins your organization, when the account joins your organization in Macie. If it's enabled for an account, Macie includes S3 buckets that the account owns. If it's disabled for an account, Macie excludes buckets that the account owns.
+ **Selectively enable automated sensitive data discovery for accounts** – With this option, you enable or disable automated sensitive data discovery for individual accounts on a case-by-case basis. If you enable it for an account, Macie includes S3 buckets that the account owns. If you don't enable it or you disable it for an account, Macie excludes buckets that the account owns.
+ **Exclude specific S3 buckets from automated sensitive data discovery** – If you enable automated sensitive data discovery for an account, you can exclude particular S3 buckets that the account owns. Macie then skips the buckets when it performs automated discovery. To exclude particular buckets, add them to the exclusion list in the configuration settings for your administrator account. You can exclude as many as 1,000 buckets for your organization.

By default, automated sensitive data discovery is enabled automatically for all new and existing accounts in an organization. In addition, Macie includes all the S3 buckets that the accounts own. If you keep the default settings, this means that Macie performs automated discovery for all the buckets for your administrator account, which includes all the buckets that your member accounts own.

As a Macie administrator, you also define the nature of the analyses that Macie performs for your organization. You do this by configuring additional settings for your administrator account—the managed data identifiers, custom data identifiers, and allows lists that you want Macie to use when it analyzes S3 objects. Macie uses the settings for your administrator account when it analyzes S3 objects for other accounts in your organization.

## Excluding or including S3 buckets in automated sensitive data discovery
<a name="discovery-asdd-account-configure-s3buckets"></a>

By default, Amazon Macie performs automated sensitive data discovery for all the S3 general purpose buckets for your account. If you're the Macie administrator for an organization, this includes buckets that your member accounts own.

To refine the scope, you can exclude as many as 1,000 S3 buckets from analyses. If you exclude a bucket, Macie stops selecting and analyzing objects in the bucket when it performs automated sensitive data discovery. Existing sensitive data discovery statistics and details for the bucket persist. For example, the bucket's current sensitivity score remains unchanged. After you exclude a bucket, you can include it again later.

**To exclude or include an S3 bucket in automated sensitive data discovery**  
You can exclude or subsequently include an S3 bucket by using the Amazon Macie console or the Amazon Macie API.

------
#### [ Console ]

Follow these steps to exclude or subsequently include an S3 bucket by using the Amazon Macie console.

**To exclude or include an S3 bucket**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to exclude or include specific S3 buckets in analyses.

1. In the navigation pane, under **Settings**, choose **Automated sensitive data discovery**.

   The **Automated sensitive data discovery** page appears and displays your current settings. On that page, the **S3 buckets** section lists S3 buckets that are currently excluded, or it indicates that all buckets are currently included.

1. In the **S3 buckets** section, choose **Edit**.

1. Do one of the following:
   + To exclude one or more S3 buckets, choose **Add buckets to the exclude list**. Then, in the **S3 buckets** table, select the checkbox for each bucket to exclude. The table lists all the general purpose buckets for your account or organization in the current Region.
   + To include one or more S3 buckets that you previously excluded, choose **Remove buckets from the exclude list**. Then, in the **S3 buckets** table, select the checkbox for each bucket to include. The table lists all the buckets that are currently excluded from analyses.

   To find specific buckets more easily, enter search criteria in the search box above the table. You can also sort the table by choosing a column heading.

1. When you finish selecting buckets, choose **Add** or **Remove**, depending on the option that you chose in the preceding step.

**Tip**  
You can also exclude or include individual S3 buckets on a case-by-case basis while you review bucket details on the console. To do this, choose the bucket on the **S3 buckets** page. Then, in the details panel, change the **Exclude from automated discovery** setting for the bucket.

------
#### [ API ]

To exclude or subsequently include an S3 bucket programmatically, use the Amazon Macie API to update the classification scope for your account. The classification scope specifies buckets that you don't want Macie to analyze when it performs automated sensitive data discovery. It defines a bucket exclusion list for automated discovery.

When you update the classification scope, you specify whether to add or remove individual buckets from the exclusion list, or overwrite the current list with a new list. Therefore, it's a good idea to start by retrieving and reviewing your current list. To retrieve the list, use the [GetClassificationScope](https://docs.aws.amazon.com/macie/latest/APIReference/classification-scopes-id.html) operation. If you're using the AWS Command Line Interface (AWS CLI), run the [get-classification-scope](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-classification-scope.html) command to retrieve the list.

To retrieve or update the classification scope, you have to specify its unique identifier (`id`). You can get this identifier by using the [GetAutomatedDiscoveryConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/automated-discovery-configuration.html) operation. This operation retrieves your current configuration settings for automated sensitive data discovery, including the unique identifier for the classification scope for your account in the current AWS Region. If you're using the AWS CLI, run the [get-automated-discovery-configuration](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-automated-discovery-configuration.html) command to retrieve this information.

When you're ready to update the classification scope, use the [UpdateClassificationScope](https://docs.aws.amazon.com/macie/latest/APIReference/classification-scopes-id.html) operation or, if you're using the AWS CLI, run the [update-classification-scope](https://docs.aws.amazon.com/cli/latest/reference/macie2/update-classification-scope.html) command. In your request, use the supported parameters to exclude or include an S3 bucket in subsequent analyses:
+ To exclude one or more buckets, specify the name of each bucket for the `bucketNames` parameter. For the `operation` parameter, specify `ADD`.
+ To include one or more buckets that you previously excluded, specify the name of each bucket for the `bucketNames` parameter. For the `operation` parameter, specify `REMOVE`.
+ To overwrite the current list with a new list of buckets to exclude, specify `REPLACE` for the `operation` parameter. For the `bucketNames` parameter, specify the name of each bucket to exclude.

Each value for the `bucketNames` parameter must be the full name of an existing general purpose bucket in the current Region. Values are case sensitive. If your request succeeds, Macie updates the classification scope and returns an empty response.

The following examples show how to use the AWS CLI to update the classification scope for an account. The first set of examples excludes two S3 buckets (*amzn-s3-demo-bucket1* and *amzn-s3-demo-bucket2*) from subsequent analyses. It adds the buckets to the list of buckets to exclude.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws macie2 update-classification-scope \
--id 117aff7ed76b59a59c3224ebdexample \
--s3 '{"excludes":{"bucketNames":["amzn-s3-demo-bucket1","amzn-s3-demo-bucket2"],"operation": "ADD"}}'
```

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

```
C:\> aws macie2 update-classification-scope ^
--id 117aff7ed76b59a59c3224ebdexample ^
--s3={\"excludes\":{\"bucketNames\":[\"amzn-s3-demo-bucket1\",\"amzn-s3-demo-bucket2\"],\"operation\":\"ADD\"}}
```

The next set of examples later includes the buckets (*amzn-s3-demo-bucket1* and *amzn-s3-demo-bucket2*) in subsequent analyses. It removes the buckets from the list of buckets to exclude. For Linux, macOS, or Unix:

```
$ aws macie2 update-classification-scope \
--id 117aff7ed76b59a59c3224ebdexample \
--s3 '{"excludes":{"bucketNames":["amzn-s3-demo-bucket1","amzn-s3-demo-bucket2"],"operation": "REMOVE"}}'
```

For Microsoft Windows:

```
C:\> aws macie2 update-classification-scope ^
--id 117aff7ed76b59a59c3224ebdexample ^
--s3={\"excludes\":{\"bucketNames\":[\"amzn-s3-demo-bucket1\",\"amzn-s3-demo-bucket2\"],\"operation\":\"REMOVE\"}}
```

The following examples overwrite and replace the current list with a new list of S3 buckets to exclude. The new list specifies three buckets to exclude: *amzn-s3-demo-bucket*, *amzn-s3-demo-bucket2*, and *amzn-s3-demo-bucket3*. For Linux, macOS, or Unix:

```
$ aws macie2 update-classification-scope \
--id 117aff7ed76b59a59c3224ebdexample \
--s3 '{"excludes":{"bucketNames":["amzn-s3-demo-bucket","amzn-s3-demo-bucket2","amzn-s3-demo-bucket3"],"operation": "REPLACE"}}'
```

For Microsoft Windows:

```
C:\> aws macie2 update-classification-scope ^
--id 117aff7ed76b59a59c3224ebdexample ^
--s3={\"excludes\":{\"bucketNames\":[\"amzn-s3-demo-bucket\",\"amzn-s3-demo-bucket2\",\"amzn-s3-demo-bucket3\"],\"operation\":\"REPLACE\"}}
```

------

## Adding or removing managed data identifiers from automated sensitive data discovery
<a name="discovery-asdd-account-configure-mdis"></a>

A *managed data identifier* is a set of built-in criteria and techniques that are designed to detect a specific type of sensitive data—for example, credit card numbers, AWS secret access keys, or passport numbers for a particular country or region. By default, Amazon Macie analyzes S3 objects by using the set of managed data identifiers that we recommend for automated sensitive data discovery. To review a list of these identifiers, see [Default settings for automated sensitive data discovery](discovery-asdd-settings-defaults.md).

You can tailor the analyses to focus on specific types of sensitive data:
+ Add managed data identifiers for the types of sensitive data that you want Macie to detect and report, and
+ Remove managed data identifiers for the types of sensitive data that you don't want Macie to detect and report.

For a complete list of all the managed data identifiers that Macie currently provides and details for each one, see [Using managed data identifiers](managed-data-identifiers.md).

If you remove a managed data identifier, your change doesn't affect existing sensitive data discovery statistics and details for S3 buckets. For example, if you remove the managed data identifier for AWS secret access keys and Macie previously detected that data in a bucket, Macie continues to report those detections. However, instead of removing the identifier, which affects subsequent analyses of all buckets, consider excluding its detections from sensitivity scores for only particular buckets. For more information, see [Adjusting sensitivity scores for S3 buckets](discovery-asdd-s3bucket-manage.md).

**To add or remove managed data identifiers from automated sensitive data discovery**  
You can add or remove managed data identifiers by using the Amazon Macie console or the Amazon Macie API.

------
#### [ Console ]

Follow these steps to add or remove a managed data identifier by using the Amazon Macie console.

**To add or remove a managed data identifier**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to add or remove a managed data identifier from analyses.

1. In the navigation pane, under **Settings**, choose **Automated sensitive data discovery**.

   The **Automated sensitive data discovery** page appears and displays your current settings. On that page, the **Managed data identifiers** section displays your current settings, organized into two tabs:
   + **Added to default** – This tab lists managed data identifiers that you added. Macie uses these identifiers in addition to the ones that are in the default set and you haven't removed.
   + **Removed from default** – This tab lists managed data identifiers that you removed. Macie doesn't use these identifiers.

1. In the **Managed data identifiers** section, choose **Edit**.

1. Do any of the following:
   + To add one or more managed data identifiers, choose the **Added to default** tab. Then, in the table, select the checkbox for each managed data identifier to add. If a checkbox is already selected, you already added that identifier.
   + To remove one or more managed data identifiers, choose the **Removed from default** tab. Then, in the table, select the checkbox for each managed data identifier to remove. If a checkbox is already selected, you already removed that identifier.

   On each tab, the table displays a list of all the managed data identifiers that Macie currently provides. In the table, the first column specifies each managed data identifier's ID. The ID describes the type of sensitive data that an identifier is designed to detect—for example, **USA\$1PASSPORT\$1NUMBER** for US passport numbers. To find specific managed data identifiers more easily, enter search criteria in the search box above the table. You can also sort the table by choosing a column heading.

1. When you finish, choose **Save**.

------
#### [ API ]

To add or remove a managed data identifier programmatically, use the Amazon Macie API to update the sensitivity inspection template for your account. The template stores settings that specify which managed data identifiers to use (*include*) in addition to the ones in the default set. They also specify managed data identifiers to not use (*exclude*). The settings also specify any custom data identifiers and allow lists that you want Macie to use.

When you update the template, you overwrite its current settings. Therefore, it's a good idea to start by retrieving your current settings and determining which ones you want to keep. To retrieve your current settings, use the [GetSensitivityInspectionTemplate](https://docs.aws.amazon.com/macie/latest/APIReference/templates-sensitivity-inspections-id.html) operation. If you're using the AWS Command Line Interface (AWS CLI), run the [get-sensitivity-inspection-template](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-sensitivity-inspection-template.html) command to retrieve the settings.

To retrieve or update the template, you have to specify its unique identifier (`id`). You can get this identifier by using the [GetAutomatedDiscoveryConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/automated-discovery-configuration.html) operation. This operation retrieves your current configuration settings for automated sensitive data discovery, including the unique identifier for the sensitivity inspection template for your account in the current AWS Region. If you're using the AWS CLI, run the [get-automated-discovery-configuration](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-automated-discovery-configuration.html) command to retrieve this information.

When you're ready to update the template, use the [UpdateSensitivityInspectionTemplate](https://docs.aws.amazon.com/macie/latest/APIReference/templates-sensitivity-inspections-id.html) operation or, if you're using the AWS CLI, run the [update-sensitivity-inspection-template](https://docs.aws.amazon.com/cli/latest/reference/macie2/update-sensitivity-inspection-template.html) command. In your request, use the appropriate parameters to add or remove one or more managed data identifiers from subsequent analyses:
+ To start using a managed data identifier, specify its ID for the `managedDataIdentifierIds` parameter of the `includes` parameter.
+ To stop using a managed data identifier, specify its ID for the `managedDataIdentifierIds` parameter of the `excludes` parameter.
+ To restore the default settings, don't specify any IDs for the `includes` and `excludes` parameters. Macie then starts using only the managed data identifiers that are in the default set.

In addition to the parameters for managed data identifiers, use the appropriate `includes` parameters to specify any custom data identifiers (`customDataIdentifierIds`) and allow lists (`allowListIds`) that you want Macie to use. Also specify the Region that your request applies to. If your request succeeds, Macie updates the template and returns an empty response.

The following examples show how to use the AWS CLI to update the sensitivity inspection template for an account. The examples add one managed data identifier and remove another from subsequent analyses. They also maintain current settings that specify two custom data identifiers to use.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws macie2 update-sensitivity-inspection-template \
--id fd7b6d71c8006fcd6391e6eedexample \
--excludes '{"managedDataIdentifierIds":["UK_ELECTORAL_ROLL_NUMBER"]}' \
--includes '{"managedDataIdentifierIds":["STRIPE_CREDENTIALS"],"customDataIdentifierIds":["3293a69d-4a1e-4a07-8715-208ddexample","6fad0fb5-3e82-4270-bede-469f2example"]}'
```

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

```
C:\> aws macie2 update-sensitivity-inspection-template ^
--id fd7b6d71c8006fcd6391e6eedexample ^
--excludes={\"managedDataIdentifierIds\":[\"UK_ELECTORAL_ROLL_NUMBER\"]} ^
--includes={\"managedDataIdentifierIds\":[\"STRIPE_CREDENTIALS\"],\"customDataIdentifierIds\":[\"3293a69d-4a1e-4a07-8715-208ddexample\",\"6fad0fb5-3e82-4270-bede-469f2example\"]}
```

Where:
+ *fd7b6d71c8006fcd6391e6eedexample* is the unique identifier for the sensitivity inspection template to update.
+ *UK\$1ELECTORAL\$1ROLL\$1NUMBER* is the ID for the managed data identifier to stop using (*exclude*).
+ *STRIPE\$1CREDENTIALS* is the ID for the managed data identifier to start using (*include*).
+ *3293a69d-4a1e-4a07-8715-208ddexample* and *6fad0fb5-3e82-4270-bede-469f2example* are the unique identifiers for the custom data identifiers to use.

------

## Adding or removing custom data identifiers from automated sensitive data discovery
<a name="discovery-asdd-account-configure-cdis"></a>

A *custom data identifier* is a set of criteria that you define to detect sensitive data. The criteria consist of a regular expression (*regex*) that defines a text pattern to match and, optionally, character sequences and a proximity rule that refine the results. To learn more, see [Building custom data identifiers](custom-data-identifiers.md).

By default, Amazon Macie doesn't use custom data identifiers when it performs automated sensitive data discovery. If you want Macie to use specific custom data identifiers, you can add them to subsequent analyses. Macie then uses the custom data identifiers in addition to any managed data identifiers that you configure Macie to use.

If you add a custom data identifier, you can later remove it. Your change doesn't affect existing sensitive data discovery statistics and details for S3 buckets. That is to say, if you remove a custom data identifier that previously produced detections for a bucket, Macie continues to report those detections. However, instead of removing the identifier, which affects subsequent analyses of all buckets, consider excluding its detections from sensitivity scores for only particular buckets. For more information, see [Adjusting sensitivity scores for S3 buckets](discovery-asdd-s3bucket-manage.md).

**To add or remove custom data identifiers from automated sensitive data discovery**  
You can add or remove custom data identifiers by using the Amazon Macie console or the Amazon Macie API.

------
#### [ Console ]

Follow these steps to add or remove a custom data identifier by using the Amazon Macie console.

**To add or remove a custom data identifier**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to add or remove a custom data identifier from analyses.

1. In the navigation pane, under **Settings**, choose **Automated sensitive data discovery**.

   The **Automated sensitive data discovery** page appears and displays your current settings. On that page, the **Custom data identifiers** section lists custom data identifiers that you already added, or it indicates that you haven't added any custom data identifiers.

1. In the **Custom data identifiers** section, choose **Edit**.

1. Do any of the following:
   + To add one or more custom data identifiers, select the checkbox for each custom data identifier to add. If a checkbox is already selected, you already added that identifier.
   + To remove one or more custom data identifiers, clear the checkbox for each custom data identifier to remove. If a checkbox is already cleared, Macie doesn't currently use that identifier.
**Tip**  
To review or test the settings for a custom data identifier before you add or remove it, choose the link icon (![\[The link icon, which is a blue box that has an arrow in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-external-link.png)) next to the identifier's name. Macie opens a page that displays the identifier's settings. To also test the identifier with sample data, enter up to 1,000 characters of text in the **Sample data** box on that page. Then choose **Test**. Macie evaluates the sample data and reports the number of matches.

1. When you finish, choose **Save**.

------
#### [ API ]

To add or remove a custom data identifier programmatically, use the Amazon Macie API to update the sensitivity inspection template for your account. The template stores settings that specify which custom data identifiers you want Macie to use when performing automated sensitive data discovery. The settings also specify which managed data identifiers and allow lists to use.

When you update the template, you overwrite its current settings. Therefore, it's a good idea to start by retrieving your current settings and determining which ones you want to keep. To retrieve your current settings, use the [GetSensitivityInspectionTemplate](https://docs.aws.amazon.com/macie/latest/APIReference/templates-sensitivity-inspections-id.html) operation. If you're using the AWS Command Line Interface (AWS CLI), run the [get-sensitivity-inspection-template](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-sensitivity-inspection-template.html) command to retrieve the settings.

To retrieve or update the template, you have to specify its unique identifier (`id`). You can get this identifier by using the [GetAutomatedDiscoveryConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/automated-discovery-configuration.html) operation. This operation retrieves your current configuration settings for automated sensitive data discovery, including the unique identifier for the sensitivity inspection template for your account in the current AWS Region. If you're using the AWS CLI, run the [get-automated-discovery-configuration](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-automated-discovery-configuration.html) command to retrieve this information.

When you're ready to update the template, use the [UpdateSensitivityInspectionTemplate](https://docs.aws.amazon.com/macie/latest/APIReference/templates-sensitivity-inspections-id.html) operation or, if you're using the AWS CLI, run the [update-sensitivity-inspection-template](https://docs.aws.amazon.com/cli/latest/reference/macie2/update-sensitivity-inspection-template.html) command. In your request, use the `customDataIdentifierIds` parameter to add or remove one or more custom data identifiers from subsequent analyses: 
+ To start using a custom data identifier, specify its unique identifier for the parameter.
+ To stop using a custom data identifier, omit its unique identifier from the parameter.

Use additional parameters to specify which managed data identifiers and allow lists you want Macie to use. Also specify the Region that your request applies to. If your request succeeds, Macie updates the template and returns an empty response.

The following examples show how to use the AWS CLI to update the sensitivity inspection template for an account. The examples add two custom data identifiers to subsequent analyses. They also maintain current settings that specify which managed data identifiers and allow lists to use: use the default set of managed data identifiers and one allow list.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws macie2 update-sensitivity-inspection-template \
--id fd7b6d71c8006fcd6391e6eedexample \
--includes '{"allowListIds":["nkr81bmtu2542yyexample"],"customDataIdentifierIds":["3293a69d-4a1e-4a07-8715-208ddexample","6fad0fb5-3e82-4270-bede-469f2example"]}'
```

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

```
C:\> aws macie2 update-sensitivity-inspection-template ^
--id fd7b6d71c8006fcd6391e6eedexample ^
--includes={\"allowListIds\":[\"nkr81bmtu2542yyexample\"],\"customDataIdentifierIds\":[\"3293a69d-4a1e-4a07-8715-208ddexample\",\"6fad0fb5-3e82-4270-bede-469f2example\"]}
```

Where:
+ *fd7b6d71c8006fcd6391e6eedexample* is the unique identifier for the sensitivity inspection template to update.
+ *nkr81bmtu2542yyexample* is the unique identifier for the allow list to use.
+ *3293a69d-4a1e-4a07-8715-208ddexample* and *6fad0fb5-3e82-4270-bede-469f2example* are the unique identifiers for the custom data identifiers to use.

------

## Adding or removing allow lists from automated sensitive data discovery
<a name="discovery-asdd-account-configure-als"></a>

In Amazon Macie, an allow list defines specific text or a text pattern that you want Macie to ignore when it inspects S3 objects for sensitive data. If text matches an entry or pattern in an allow list, Macie doesn’t report the text. This is the case even if the text matches the criteria of a managed or custom data identifier. To learn more, see [Defining sensitive data exceptions with allow lists](allow-lists.md).

By default, Macie doesn't use allow lists when it performs automated sensitive data discovery. If you want Macie to use specific allow lists, you can add them to subsequent analyses. If you add an allow list, you can later remove it.

**To add or remove allow lists from automated sensitive data discovery**  
You can add or remove allow lists by using the Amazon Macie console or the Amazon Macie API.

------
#### [ Console ]

Follow these steps to add or remove an allow list by using the Amazon Macie console.

**To add or remove an allow list**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to add or remove an allow list from analyses.

1. In the navigation pane, under **Settings**, choose **Automated sensitive data discovery**. 

   The **Automated sensitive data discovery** page appears and displays your current settings. On that page, the **Allow lists** section specifies allow lists that you already added, or it indicates that you haven't added any allow lists.

1. In the **Allow lists** section, choose **Edit**.

1. Do any of the following:
   + To add one or more allow lists, select the checkbox for each allow list to add. If a checkbox is already selected, you already added that list.
   + To remove one or more allow lists, clear the checkbox for each allow list to remove. If a checkbox is already cleared, Macie doesn't currently use that list.
**Tip**  
To review the settings for an allow list before you add or remove it, choose the link icon (![\[The link icon, which is a blue box that has an arrow in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-external-link.png)) next to the list's name. Macie opens a page that displays the list's settings. If the list specifies a regular expression (*regex*), you can also use this page to test the regex with sample data. To do this, enter up to 1,000 characters of text in the **Sample data** box, and then choose **Test**. Macie evaluates the sample data and reports the number of matches.

1. When you finish, choose **Save**.

------
#### [ API ]

To add or remove an allow list programmatically, use the Amazon Macie API to update the sensitivity inspection template for your account. The template stores settings that specify which allow lists you want Macie to use when performing automated sensitive data discovery. The settings also specify which managed data identifiers and custom data identifiers to use.

When you update the template, you overwrite its current settings. Therefore, it's a good idea to start by retrieving your current settings and determining which ones you want to keep. To retrieve your current settings, use the [GetSensitivityInspectionTemplate](https://docs.aws.amazon.com/macie/latest/APIReference/templates-sensitivity-inspections-id.html) operation. If you're using the AWS Command Line Interface (AWS CLI), run the [get-sensitivity-inspection-template](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-sensitivity-inspection-template.html) command to retrieve the settings.

To retrieve or update the template, you have to specify its unique identifier (`id`). You can get this identifier by using the [GetAutomatedDiscoveryConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/automated-discovery-configuration.html) operation. This operation retrieves your current configuration settings for automated sensitive data discovery, including the unique identifier for the sensitivity inspection template for your account in the current AWS Region. If you're using the AWS CLI, run the [get-automated-discovery-configuration](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-automated-discovery-configuration.html) command to retrieve this information.

When you're ready to update the template, use the [UpdateSensitivityInspectionTemplate](https://docs.aws.amazon.com/macie/latest/APIReference/templates-sensitivity-inspections-id.html) operation or, if you're using the AWS CLI, run the [update-sensitivity-inspection-template](https://docs.aws.amazon.com/cli/latest/reference/macie2/update-sensitivity-inspection-template.html) command. In your request, use the `allowListIds` parameter to add or remove one or more allow lists from subsequent analyses:
+ To start using an allow list, specify its unique identifier for the parameter.
+ To stop using an allow list, omit its unique identifier from the parameter.

Use additional parameters to specify which managed data identifiers and custom data identifiers you want Macie to use. Also specify the Region that your request applies to. If your request succeeds, Macie updates the template and returns an empty response.

The following examples show how to use the AWS CLI to update the sensitivity inspection template for an account. The examples add an allow list to subsequent analyses. They also maintain current settings that specify which managed data identifiers and custom data identifiers to use: use the default set of managed data identifiers and two custom data identifiers.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws macie2 update-sensitivity-inspection-template \
--id fd7b6d71c8006fcd6391e6eedexample \
--includes '{"allowListIds":["nkr81bmtu2542yyexample"],"customDataIdentifierIds":["3293a69d-4a1e-4a07-8715-208ddexample","6fad0fb5-3e82-4270-bede-469f2example"]}'
```

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

```
C:\> aws macie2 update-sensitivity-inspection-template ^
--id fd7b6d71c8006fcd6391e6eedexample ^
--includes={\"allowListIds\":[\"nkr81bmtu2542yyexample\"],\"customDataIdentifierIds\":[\"3293a69d-4a1e-4a07-8715-208ddexample\",\"6fad0fb5-3e82-4270-bede-469f2example\"]}
```

Where:
+ *fd7b6d71c8006fcd6391e6eedexample* is the unique identifier for the sensitivity inspection template to update.
+ *nkr81bmtu2542yyexample* is the unique identifier for the allow list to use.
+ *3293a69d-4a1e-4a07-8715-208ddexample* and *6fad0fb5-3e82-4270-bede-469f2example* are the unique identifiers for the custom data identifiers to use.

------

# Disabling automated sensitive data discovery
<a name="discovery-asdd-account-disable"></a>

You can disable automated sensitive data discovery for an account or organization at any time. If you do this, Amazon Macie stops performing all automated discovery activities for the account or organization before a subsequent evaluation and analysis cycle starts, typically within 48 hours. Additional effects vary:
+ If you're a Macie administrator and you disable it for an individual account in your organization, you and the account can continue to access to all statistical data, inventory data, and other information that Macie produced and directly provided while performing automated discovery for the account. You can enable automated discovery for the account again. Macie then resumes all automated discovery activities for the account.
+ If you're a Macie administrator and you disable it for your organization, you and the accounts in your organization lose access to all statistical data, inventory data, and other information that Macie produced and directly provided while performing automated discovery for your organization. For example, your S3 bucket inventory no longer includes sensitivity visualizations or analyses statistics. You can subsequently enable automated discovery for your organization again. Macie then resumes all automated discovery activities for accounts in your organization. If you re-enable it within 30 days, you and the accounts regain access to data and information that Macie previously produced and directly provided while performing automated discovery. If you don't re-enable it within 30 days, Macie permanently deletes this data and information.
+ If you disable it for your standalone Macie account, you lose access to all statistical data, inventory data, and other information that Macie produced and directly provided while performing automated discovery for your account. If you don't re-enable it within 30 days, Macie permanently deletes this data and information.

You can continue to access sensitive data findings that Macie produced while performing automated sensitive data discovery for the account or organization. Macie stores findings for 90 days. Macie also retains your configuration settings for automated discovery. In addition, data that you stored or published to other AWS services remains intact and isn't affected, such as sensitive data discovery results in Amazon S3 and finding events in Amazon EventBridge.

**To disable automated sensitive data discovery**  
If you're the Macie administrator for an organization or you have a standalone Macie account, you can disable automated sensitive data discovery by using the Amazon Macie console or the Amazon Macie API. If you have a member account in an organization, work with your Macie administrator to disable automated discovery for your account. Only your Macie administrator can disable automated discovery for your account.

------
#### [ Console ]

Follow these steps to disable automated sensitive data discovery by using the Amazon Macie console.

**To disable automated sensitive data discovery**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to disable automated sensitive data discovery.

1. In the navigation pane, under **Settings**, choose **Automated sensitive data discovery**.

1. If you're the Macie administrator for an organization, choose an option in the **Status** section to specify the accounts to disable automated sensitive data discovery for:
   + To disable it for only particular member accounts, choose **Manage accounts**. Then, in the table on the **Accounts** page, select the checkbox for each account to disable it for. When you finish, choose **Disable automated sensitive data discovery** on the **Actions** menu.
   + To disable it for only your Macie administrator account, choose **Disable**. In the dialog box that appears, choose **My account**, and then choose **Disable**.
   + To disable it for all the accounts in your organization and your organization overall, choose **Disable**. In the dialog box that appears, choose **My organization**, and then choose **Disable**.

1. If you have a standalone Macie account, choose **Disable** in the **Status** section.

If you use Macie in multiple Regions and want to disable automated sensitive data discovery in additional Regions, repeat the preceding steps in each additional Region.

------
#### [ API ]

With the Amazon Macie API, you can disable automated sensitive data discovery in two ways. How you disable it depends partly on the type of account that you have. If you're the Macie administrator for an organization, it also depends on whether you want to disable automated discovery for only particular member accounts or your organization overall. If you disable it for your organization, you disable it for all the accounts that are currently part of your organization. If additional accounts subsequently join your organization, automated discovery is also disabled for those accounts.

To disable automated sensitive data discovery for an organization or a standalone Macie account, use the [UpdateAutomatedDiscoveryConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/automated-discovery-configuration.html) operation. Or, if you're using the AWS Command Line Interface (AWS CLI), run the [update-automated-discovery-configuration](https://docs.aws.amazon.com/cli/latest/reference/macie2/update-automated-discovery-configuration.html) command. In your request, specify `DISABLED` for the `status` parameter.

To disable automated sensitive data discovery for only particular member accounts in an organization, use the [BatchUpdateAutomatedDiscoveryAccounts](https://docs.aws.amazon.com/macie/latest/APIReference/automated-discovery-accounts.html) operation. Or, if you're using the AWS CLI, run the [batch-update-automated-discovery-accounts](https://docs.aws.amazon.com/cli/latest/reference/macie2/batch-update-automated-discovery-accounts.html) command. In your request, use the `accountId` parameter to specify the account ID for an account that you want to disable automated discovery for. For the `status` parameter, specify `DISABLED`. To disable automated discovery for an account, Macie must currently be enabled for the account.

The following examples show how to use the AWS CLI to disable automated sensitive data discovery for one or more accounts in an organization. This first example disables automated discovery for an organization. It disables automated discovery for the Macie administrator account and all member accounts in the organization.

```
$ aws macie2 update-automated-discovery-configuration --status DISABLED --region us-east-1
```

Where *us-east-1* is the Region in which to disable automated sensitive data discovery for the organization, the US East (N. Virginia) Region. If the request succeeds, Macie disables automated discovery for the organization and returns an empty response.

These next examples disable automated sensitive data discovery for two member accounts in an organization. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws macie2 batch-update-automated-discovery-accounts \
--region us-east-1 \
--accounts '[{"accountId":"123456789012","status":"DISABLED"},{"accountId":"111122223333","status":"DISABLED"}]'
```

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

```
C:\> aws macie2 batch-update-automated-discovery-accounts ^
--region us-east-1 ^
--accounts=[{\"accountId\":\"123456789012\",\"status\":\"DISABLED\"},{\"accountId\":\"111122223333\",\"status\":\"DISABLED\"}]
```

Where:
+ *us-east-1* is the Region in which to disable automated sensitive data discovery for the specified accounts, the US East (N. Virginia) Region.
+ *123456789012* and *111122223333* are the account IDs for the accounts to disable automated sensitive data discovery for.

If the request succeeds for all specified accounts, Macie returns an empty `errors` array. If the request fails for some accounts, the array specifies the error that occurred for each affected account. For example:

```
"errors": [
    {
        "accountId": "123456789012",
        "errorCode": "ACCOUNT_PAUSED"
    }
]
```

In the preceding response, the request failed for the specified account (`123456789012`) because Macie is currently suspended for the account.

If the request fails for all accounts, you receive a message that describes the error that occurred. For example:

```
An error occurred (ConflictException) when calling the BatchUpdateAutomatedDiscoveryAccounts operation: Cannot modify account states
while auto-enable is set to ALL.
```

In the preceding response, the request failed because the member enablement setting for the organization is currently configured to enable automated sensitive data discovery for all accounts (`ALL`). To address the error, the Macie administrator must first change this setting to `NONE` or `NEW`. For information about this setting, see [Enabling automated sensitive data discovery](discovery-asdd-account-enable.md).

------

# Reviewing automated sensitive data discovery results
<a name="discovery-asdd-results-s3"></a>

If automated sensitive data discovery is enabled, Amazon Macie automatically generates and maintains additional inventory data, statistics, and other information about the Amazon Simple Storage Service (Amazon S3) general purpose buckets for your account. If you're the Macie administrator for an organization, by default this includes S3 buckets that your member accounts own.

The additional information captures the results of automated sensitive data discovery activities that Macie has performed thus far. It also supplements other information that Macie provides about your Amazon S3 data, such as public access and encryption settings for individual S3 buckets. In addition to metadata and statistics, Macie produces records of the sensitive data it finds and the analysis that it performs—*sensitive data findings* and *sensitive data discovery results*.

As automated sensitive data discovery progresses each day, the following features and data can help you review and evaluate the results:
+ [****Summary** dashboard**](discovery-asdd-results-s3-dashboard.md) – Provides aggregated statistics for your Amazon S3 data estate. The statistics include data for key metrics such as the total number of buckets that Macie has found sensitive data in, and how many of those buckets are publicly accessible. They also report issues that affect coverage of your Amazon S3 data.
+ [****S3 buckets** heat map**](discovery-asdd-results-s3-inventory-map.md) – Provides an interactive, visual representation of data sensitivity across your data estate, grouped by AWS account. For each account, the map includes aggregated sensitivity statistics and it uses colors to indicate the current sensitivity score for each bucket that the account owns. The map also uses symbols to help you identify buckets that are publicly accessible, can't be analyzed by Macie, and more.
+ [****S3 buckets** table**](discovery-asdd-results-s3-inventory-table.md) – Provides summary information for each S3 bucket in your inventory. For each bucket, the table includes data such as the bucket's current sensitivity score, the number of objects that Macie can analyze in the bucket, and whether you configured any sensitive data discovery jobs to periodically analyze objects in the bucket. You can export data from the table to a comma-separated values (CSV) file. 
+ [****S3 bucket** details**](discovery-asdd-results-s3-inventory-details.md) – Provides detailed statistics and information about an S3 bucket. The details include a list of objects that Macie has analyzed in the bucket, and a breakdown of the types and number of occurrences of sensitive data that Macie has found in the bucket. These are in addition to details about settings that affect the security and privacy of the bucket’s data.
+ [**Sensitive data findings**](discovery-asdd-results-s3-findings.md) – Provide detailed reports of sensitive data that Macie found in individual S3 objects. The details include when Macie found the sensitive data, and the types and number of occurrences of the sensitive data that Macie found. The details also include information about the affected S3 bucket and object, including the bucket's public access settings and when the object was most recently changed.
+ [**Sensitive data discovery results**](discovery-asdd-results-s3-sddrs.md) – Provide records of the analysis that Macie performed for individual S3 objects. This includes objects that Macie doesn't find sensitive data in, and objects that Macie can't analyze due to issues or errors. If Macie finds sensitive data in an object, the sensitive data discovery result provides information about the sensitive data that Macie found.

With this data, you can evaluate data sensitivity across your Amazon S3 data estate and drill down to evaluate and investigate individual S3 buckets and objects. Combined with information that Macie provides about the security and privacy of your Amazon S3 data, you can also identify cases where immediate remediation might be necessary—for example, a publicly accessible bucket that Macie found sensitive data in.

Additional data can help you assess and monitor coverage of your Amazon S3 data. With coverage data, you can check the status of the analyses for your data estate overall and individual S3 buckets within it. You can also identify issues that prevented Macie from analyzing objects in specific buckets. If you remediate the issues, you can increase coverage of your Amazon S3 data during subsequent analysis cycles. For more information, see [Assessing automated sensitive data discovery coverage](discovery-coverage.md).

**Topics**
+ [Reviewing data sensitivity statistics on the Summary dashboard](discovery-asdd-results-s3-dashboard.md)
+ [Visualizing data sensitivity with the S3 buckets map](discovery-asdd-results-s3-inventory-map.md)
+ [Assessing data sensitivity with the S3 buckets table](discovery-asdd-results-s3-inventory-table.md)
+ [Reviewing data sensitivity details for S3 buckets](discovery-asdd-results-s3-inventory-details.md)
+ [Analyzing findings from automated sensitive data discovery](discovery-asdd-results-s3-findings.md)
+ [Accessing discovery results from automated sensitive data discovery](discovery-asdd-results-s3-sddrs.md)

# Reviewing data sensitivity statistics on the Summary dashboard
<a name="discovery-asdd-results-s3-dashboard"></a>

On the Amazon Macie console, the **Summary** dashboard provides a snapshot of aggregated statistics and findings data for your Amazon Simple Storage Service (Amazon S3) data in the current AWS Region. It's designed to help you assess the overall security posture of your Amazon S3 data.

Dashboard statistics include data for key security metrics such as the number of S3 general purpose buckets that are publicly accessible or shared with other AWS accounts. The dashboard also displays groups of aggregated findings data for your account—for example, the buckets that generated the most findings during the preceding seven days. If you're the Macie administrator for an organization, the dashboard provides aggregated statistics and data for all the accounts in your organization. You can optionally filter the data by account.

If automated sensitive data discovery is enabled, the **Summary** dashboard includes additional statistics. The statistics capture the status and results of automated discovery activities that Macie has performed thus far for your Amazon S3 data. The following image shows an example of these statistics. 

![\[Sensitive data discovery statistics on the Summary dashboard. Each statistic has example data.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-sensitivity.png)


The statistics are organized primarily into two sections, **Automated discovery** and **Coverage issues**. Statistics in the **Automated discovery** section provide a snapshot of the current status and results of automated sensitive data discovery activities. Statistics in the **Coverage issues** section indicate whether issues prevented Macie from analyzing objects in individual S3 buckets. The statistics don't include data for sensitive data discovery jobs that you create and run. However, remediating coverage issues for automated sensitive data discovery is likely to also increase coverage by jobs that you subsequently run.

**Topics**
+ [Displaying the dashboard](#discovery-asdd-results-s3-dashboard-view)
+ [Understanding statistics on the dashboard](#discovery-asdd-results-s3-dashboard-statistics)

## Displaying the Summary dashboard
<a name="discovery-asdd-results-s3-dashboard-view"></a>

Follow these steps to display the **Summary** dashboard on the Amazon Macie console. To query the statistics programmatically, use the [GetBucketStatistics](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3-statistics.html) operation of the Amazon Macie API.

**To display the Summary dashboard**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **Summary**. Macie displays the **Summary** dashboard.

1. To drill down and review the supporting data for an item on the dashboard, choose the item.

If you're the Macie administrator for an organization, the dashboard displays aggregated statistics and data for your account and member accounts in your organization. To display data for only a particular account, enter the account's ID in the **Account** box above the dashboard.

## Understanding sensitive data discovery statistics on the Summary dashboard
<a name="discovery-asdd-results-s3-dashboard-statistics"></a>

The **Summary** dashboard includes aggregated statistics that can help you monitor automated sensitive data discovery for your Amazon S3 data. It provides a snapshot of the current status and results of the analyses for your Amazon S3 data in the current AWS Region. For example, you can use dashboard statistics to quickly determine how many S3 buckets Amazon Macie has found sensitive data in, and how many of those buckets are publicly accessible. You can also assess coverage of your Amazon S3 data. Coverage statistics can help you identify issues that prevent Macie from analyzing objects in individual S3 buckets. 

On the dashboard, statistics for automated sensitive data discovery are organized into the following sections:
+ [Storage and sensitive data discovery](#discovery-asdd-results-s3-dashboard-storage-statistics)
+ [Automated discovery](#discovery-asdd-results-s3-dashboard-sensitivity-statistics)
+ [Coverage issues](#discovery-asdd-results-s3-dashboard-coverage-statistics)

Individual statistics in each section are as follows. For information about statistics in other sections of the dashboard, see [Understanding components of the Summary dashboard](monitoring-s3-dashboard.md#monitoring-s3-dashboard-components-main).

### Storage and sensitive data discovery
<a name="discovery-asdd-results-s3-dashboard-storage-statistics"></a>

At the top of the dashboard, statistics indicate how much data you store in Amazon S3, and how much of that data Amazon Macie can analyze to detect sensitive data. The following image shows an example of these statistics for an organization with seven accounts.

![\[The Storage and sensitive data discovery section of the dashboard. Each field contains example data.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-storage.png)


Individual statistics in this section are:
+ **Total accounts** – This field appears if you're the Macie administrator for an organization or you have a standalone Macie account. It indicates the total number of AWS accounts that own buckets in your bucket inventory. If you're a Macie administrator, this is the total number of Macie accounts that you manage for your organization. If you have a standalone Macie account, this value is *1*.

  **Total S3 buckets** – This field appears if you have a member account in an organization. It indicates the total number of general purpose buckets in your inventory, including buckets that don't store any objects. 
+ **Storage** – These statistics provide information about the storage size of objects in your bucket inventory:
  + **Classifiable** – The total storage size of all the objects that Macie can analyze in the buckets.
  + **Total** – The total storage size of all the objects in the buckets, including objects that Macie can’t analyze.

  If any of the objects are compressed files, these values don’t reflect the actual size of those files after they’re decompressed. If versioning is enabled for any of the buckets, these values are based on the storage size of the latest version of each object in those buckets.
+ **Objects** – These statistics provide information about the number of objects in your bucket inventory:
  + **Classifiable** – The total number of objects that Macie can analyze in the buckets.
  + **Total** – The total number of objects in the buckets, including objects that Macie can’t analyze.

In the preceding statistics, data and objects are *classifiable* if they use a supported Amazon S3 storage class and they have a file name extension for a supported file or storage format. You can detect sensitive data in the objects by using Macie. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).

Note that **Storage** and **Objects** statistics don't include data about objects in buckets that Macie isn't allowed to access. To identify buckets where this is the case, choose the **Access denied** statistic in the **Coverage issues** section of the dashboard.

### Automated discovery
<a name="discovery-asdd-results-s3-dashboard-sensitivity-statistics"></a>

This section captures the status and results of automated sensitive data discovery activities that Amazon Macie has performed thus far for your Amazon S3 data. The following image shows an example of the statistics that this section provides.

![\[The Automated discovery section of the dashboard. A chart and related fields contain example data.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-asdd.png)


Individual statistics in this section are as follows.

**Total buckets**  
The doughnut chart indicates the total number of buckets in your bucket inventory. The chart groups the buckets into categories based on each bucket's current sensitivity score:  
+ **Sensitive** (*red*) – The total number of buckets whose sensitivity score ranges from *51* through *100*.
+ **Not sensitive** (*blue*) – The total number of buckets whose sensitivity score ranges from *1* through *49*.
+ **Not yet analyzed** (*light gray*) – The total number of buckets whose sensitivity score is *50*.
+ **Classification error** (*dark gray*) – The total number of buckets whose sensitivity score is *-1*.
For details about the range of sensitivity scores and labels that Macie defines, see [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md).  
To review additional statistics for a group, hover over the group:  
+ **Buckets** – The total number of buckets.
+ **Publicly accessible** – The total number of buckets that allow the general public to have read or write access to the bucket.
+ **Classifiable bytes** – The total storage size of all the objects that Macie can analyze in the buckets. These objects use supported Amazon S3 storage classes and they have file name extensions for supported file or storage formats. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).
+ **Total bytes** – The total storage size of all the buckets.
In the preceding statistics, storage size values are based on the storage size of the latest version of each object in the buckets. If any of the objects are compressed files, these values don’t reflect the actual size of those files after they’re decompressed.

**Sensitive**  
This area indicates the total number of buckets that currently have a sensitivity score ranging from *51* through *100*. Within this group, **Publicly accessible** indicates the total number of buckets that also allow the general public to have read or write access to the bucket.

**Not sensitive**  
This area indicates the total number of buckets that currently have a sensitivity score ranging from *1* through *49*. Within this group, **Publicly accessible** indicates the total number of buckets that also allow the general public to have read or write access to the bucket.

To determine and calculate values for **Publicly accessible** statistics, Macie analyzes a combination of account- and bucket-level settings for each bucket, such as the block public access settings for the account and bucket, and the bucket policy for the bucket. Macie does this for up to 10,000 buckets for an account. For more information, see [How Macie monitors Amazon S3 data security](monitoring-s3-how-it-works.md).

Note that statistics in the **Automated discovery** section don't include the results of sensitive data discovery jobs that you create and run.

### Coverage issues
<a name="discovery-asdd-results-s3-dashboard-coverage-statistics"></a>

In this section, statistics indicate whether certain types of issues prevented Amazon Macie from analyzing objects in individual S3 buckets. The following image shows an example of the statistics that this section provides.

![\[The Coverage issues section of the dashboard. Each field contains example data.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-coverage.png)


Individual statistics in this section are:
+ **Access denied** – The total number of buckets that Macie isn't allowed to access. Macie can't analyze any objects in these buckets. The buckets' permissions settings prevent Macie from accessing the buckets and the buckets' objects.
+ **Classification error** – The total number of buckets that Macie hasn't analyzed yet due to object-level classification errors. Macie tried to analyze one or more objects in these buckets. However, Macie couldn't analyze the objects due to issues with object-level permissions settings, object content, or quotas.
+ **Unclassifiable** – The total number of buckets that don't store any classifiable objects. Macie can't analyze any objects in these buckets. All the objects use Amazon S3 storage classes that Macie doesn't support, or they have file name extensions for file or storage formats that Macie doesn't support. 

Choose the value for a statistic to display additional details and, as applicable, remediation guidance. If you remediate access issues and classification errors, you can increase coverage of your Amazon S3 data during subsequent analysis cycles. For more information, see [Assessing automated sensitive data discovery coverage](discovery-coverage.md).

Note that statistics in the **Coverage issues** section don't explicitly include data for sensitive data discovery jobs that you create and run. However, remediating coverage issues that affect automated sensitive data discovery is likely to also increase coverage by jobs that you subsequently run.

# Visualizing data sensitivity with the S3 buckets map
<a name="discovery-asdd-results-s3-inventory-map"></a>

On the Amazon Macie console, the **S3 buckets** heat map provides an interactive, visual representation of data sensitivity across your Amazon Simple Storage Service (Amazon S3) data estate. It captures the results of automated sensitive data discovery activities that Macie has performed thus far for your Amazon S3 data in the current AWS Region.

If you're the Macie administrator for an organization, the map includes results for S3 buckets that your member accounts own. The data is grouped by AWS account and sorted by account ID, as shown in the following image.

![\[The S3 buckets map. It shows different colored squares, one for each bucket, grouped by account.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-s3-map-small.png)


The map displays data for up to 100 S3 buckets for each account. To display data for all buckets, you can [switch to table view](discovery-asdd-results-s3-inventory-table.md) and review the data in tabular format instead.

To display the map, choose **S3 buckets** in the navigation pane on the console. Then choose map (![\[The map view button, which is a button that displays four black squares.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-s3-map-view.png)) at the top of the page. The map is available only if automated sensitive data discovery is currently enabled. It doesn't include the results of sensitive data discovery jobs that you create and run.

**Topics**
+ [Interpreting data in the S3 buckets map](#discovery-asdd-results-s3-inventory-map-legend)
+ [Interacting with the S3 buckets map](#discovery-asdd-results-s3-inventory-map-use)

## Interpreting data in the S3 buckets map
<a name="discovery-asdd-results-s3-inventory-map-legend"></a>

In the **S3 buckets** map, each square represents an S3 general purpose bucket in your bucket inventory. The color of a square represents a bucket's current sensitivity score, which measures the intersection of two primary dimensions: the amount of sensitive data that Macie has found in the bucket, and the amount of data that Macie has analyzed in the bucket. The intensity of the color's hue represents where a score falls in a range of data sensitivity values, as shown in the following image.

![\[The color spectrum for sensitivity scores: blue hues for 1-49, red hues for 51-100, and gray for -1.\]](http://docs.aws.amazon.com/macie/latest/user/images/sensitivity-scoring-spectrum.png)


In general, you can interpret color and hue intensity as follows:
+ **Blue** – If a bucket's current sensitivity score ranges from *1* through *49*, the bucket's square is blue and the bucket's sensitivity label is **Not sensitive**. The intensity of the blue hue reflects the number of unique objects that Macie has analyzed in the bucket relative to the total number of unique objects in the bucket. A darker hue indicates a lower sensitivity score.
+ **No color** – If a bucket's current sensitivity score is *50*, the bucket's square isn't colored and the bucket's sensitivity label is **Not yet analyzed**. In addition, the square has a dashed border.
+ **Red** – If a bucket's current sensitivity score ranges from *51* through *100*, the bucket's square is red and the bucket's sensitivity label is **Sensitive**. The intensity of the red hue reflects the amount of sensitive data that Macie has found in the bucket. A darker hue indicates a higher sensitivity score.
+ **Gray** – If a bucket's current sensitivity score is *-1*, the bucket's square is dark gray and the bucket's sensitivity label is **Classification error**. Hue intensity doesn't vary.

For details about the range of sensitivity scores and labels that Macie defines, see [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md).

In the map, the square for an S3 bucket might also contain a symbol. The symbol indicates an error, issue, or other type of consideration that might affect your evaluation of a bucket's sensitivity. A symbol can also indicate a potential issue with the security of the bucket—for example, the bucket is publicly accessible. The following table lists the symbols that Macie uses to notify you of these cases.


| Symbol | Definition | Description | 
| --- | --- | --- | 
|  ![\[The Access denied symbol, which is a gray exclamation point.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-map-access-denied.png)  | Access denied |  Macie isn't allowed to access the bucket or the bucket's objects. Consequently, Macie can't analyze any objects in the bucket.  This issue typically occurs because a bucket has a restrictive bucket policy. For information about how to address this issue, see [Allowing Macie to access S3 buckets and objects](monitoring-restrictive-s3-buckets.md).  | 
|  ![\[The Publicly accessible symbol, which is a solid, gray, upward-facing arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-map-publicly-accessible.png)  | Publicly accessible |  The general public has read or write access to the bucket. To make this determination, Macie analyzes a combination of settings for each bucket, such as the block public access settings for the account and the bucket, and the bucket policy for the bucket. Macie can do this for up to 10,000 buckets for an account. For more information, see [How Macie monitors Amazon S3 data security](monitoring-s3-how-it-works.md).  | 
|  ![\[The Unclassifiable symbol, which is a gray question mark.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-map-unclassifiable.png)  | Unclassifiable |  Macie can't analyze any objects in the bucket. All the bucket's objects use Amazon S3 storage classes that Macie doesn't support, or they have file name extensions for file or storage formats that Macie doesn't support. For Macie to analyze an object, the object must use a supported storage class and have a file name extension for a supported file or storage format. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).  | 
|  ![\[The Zero bytes symbol, which is the number zero.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-map-zero-bytes.png)  | Zero bytes |  The bucket doesn't store any objects for Macie to analyze. The bucket is empty or all the objects in the bucket contain zero (0) bytes of data.  | 

## Interacting with the S3 buckets map
<a name="discovery-asdd-results-s3-inventory-map-use"></a>

As you review the **S3 buckets** map, you can interact with it in different ways to reveal and evaluate additional data and details for individual accounts and buckets. Follow these steps to display the map and use various features that it provides. 

**To interact with the S3 buckets map**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **S3 buckets**. The **S3 buckets** page displays a map of your bucket inventory. If the page displays your inventory in tabular format instead, choose map (![\[The map view button, which is a button that displays four black squares.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-s3-map-view.png)) at the top of the page.

   By default, the map doesn't display data for buckets that are currently excluded from automated sensitive data discovery. If you're the Macie administrator for an organization, it also doesn't display data for accounts that automated sensitive data discovery is currently disabled for. To display this data, choose **X** in the **Is monitored by automated discovery** filter token below the filter box.

1. At the top of the page, optionally choose refresh (![\[The refresh button, which is a button that displays an empty blue circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-data.png)) to retrieve the latest bucket metadata from Amazon S3.

1. In the **S3 buckets** map, do any of the following:
   + To determine how many buckets have a specific sensitivity label, refer to the colored badges immediately below an AWS account ID. The badges display aggregated bucket counts, broken down by sensitivity label.

     For example, the red badge reports the total number of buckets that are owned by the account and have the **Sensitive** label. The sensitivity score for these buckets ranges from *51* through *100*. The blue badge reports the total number of buckets that are owned by the account and have the **Not sensitive** label. The sensitivity score for these buckets ranges from *1* through *49*.
   + To review a subset of information about a bucket, hover over the bucket's square. A popover displays the bucket's name and current sensitivity score.

     The popover also displays the total number of objects that Macie can analyze in the bucket and the total storage size of the latest version of those objects. These objects are *classifiable*. They use supported Amazon S3 storage classes and they have file name extensions for supported file or storage formats. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).
   + To filter the map and display only those buckets that have a specific value for a field, place your cursor in the filter box, and then add a filter condition for the field. Macie applies the condition's criteria and displays the condition below the filter box. To further refine the results, add filter conditions for additional fields. For more information, see [Filtering your S3 bucket inventory](monitoring-s3-inventory-filter.md).
   + To drill down and display only those buckets that are owned by a particular account, choose the account ID for the account. Macie opens a new tab that filters and displays data only for that account.

1. To review data sensitivity statistics and other information for a particular bucket, choose the bucket's square. Then refer to the details panel. For information about these details, see [Reviewing data sensitivity details for S3 buckets](discovery-asdd-results-s3-inventory-details.md).
**Tip**  
On the **Bucket details** tab of the panel, you can pivot and drill down on many of the fields. To show buckets that have the same value for a field, choose ![\[The zoom in icon, which is a magnifying glass that has a plus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-plus-sign.png) in the field. To show buckets that have other values for a field, choose ![\[The zoom out icon, which is a magnifying glass that has a minus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-minus-sign.png) in the field.

# Assessing data sensitivity with the S3 buckets table
<a name="discovery-asdd-results-s3-inventory-table"></a>

To review summary information for your Amazon Simple Storage Service (Amazon S3) buckets, you can use the **S3 buckets** table on the Amazon Macie console. By using the table, you can review and analyze an inventory of your general purpose buckets in the current AWS Region, and drill down to review detailed information and statistics for individual buckets. If you're the Macie administrator for an organization, the table includes information about buckets that your member accounts own. If you prefer to access and query the data programmatically, you can use the [DescribeBuckets](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) operation of the Amazon Macie API. 

On the console, you can sort and filter the table to customize your view. You can also export data from the table to a comma-separated values (CSV) file. If you choose an S3 bucket in the table, the details panel displays additional information about the bucket. This includes details and statistics for settings and metrics that provide insight into the security and privacy of the bucket’s data. If automated sensitive data discovery is enabled, it also includes data that captures the results of automated discovery activities that Macie has performed thus far for the bucket.

**To assess data sensitivity by using the S3 buckets table**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **S3 buckets**. The **S3 buckets** page displays your bucket inventory.

   By default, the page doesn't display data for buckets that are currently excluded from automated sensitive data discovery. If you're the Macie administrator for an organization, it also doesn't display data for accounts that automated sensitive data discovery is currently disabled for. To display this data, choose **X** in the **Is monitored by automated discovery** filter token below the filter box.

1. Choose table (![\[The table view button, which is a button that displays three black horizontal lines.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-s3-table-view.png)) at the top of the page. Macie displays the number of buckets in your inventory and a table of the buckets.

1. To retrieve the latest bucket metadata from Amazon S3, choose refresh (![\[The refresh button, which is a button that displays an empty blue circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-data.png)) at the top of the page.

   If the information icon (![\[The information icon, which is a blue circle that has a lowercase letter i in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-info-blue.png)) appears next to any bucket names, we recommend that you do this. This icon indicates that a bucket was created during the past 24 hours, possibly after Macie last retrieved bucket and object metadata from Amazon S3 as part of the [daily refresh cycle](monitoring-s3-how-it-works.md#monitoring-s3-how-it-works-data-refresh).

1. In the **S3 buckets** table, review summary information about each bucket in your inventory:
   + **Sensitivity** – The bucket's current sensitivity score. For information about the range of sensitivity scores that Macie defines, see [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md).
   + **Bucket** – The name of the bucket.
   + **Account** – The account ID for the AWS account that owns the bucket.
   + **Classifiable objects** – The total number of objects that Macie can analyze to detect sensitive data in the bucket.
   + **Classifiable size** – The total storage size of all the objects that Macie can analyze to detect sensitive data in the bucket.

     This value doesn’t reflect the actual size of any compressed objects after they're decompressed. Also, if versioning is enabled for the bucket, this value is based on the storage size of the latest version of each object in the bucket.
   + **Monitored by job** – Whether you configured any sensitive data discovery jobs to periodically analyze objects in the bucket on a daily, weekly, or monthly basis.

     If the value for this field is *Yes*, the bucket is explicitly included in a periodic job or the bucket matched the criteria for a periodic job within the past 24 hours. In addition, the status of at least one of those jobs is not *Cancelled*. Macie updates this data on a daily basis.
   + **Latest job run** – If you configured any one-time or periodic sensitive data discovery jobs to analyze objects in the bucket, this field indicates the most recent date and time when one of those jobs started to run. Otherwise, a dash (–) appears in this field. 

   In the preceding data, objects are *classifiable* if they use a supported Amazon S3 storage class and they have a file name extension for a supported file or storage format. You can detect sensitive data in the objects by using Macie. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).

1. To analyze your inventory by using the table, do any of the following:
   + To sort the table by a specific field, choose the column heading for the field. To change the sort order, choose the column heading again.
   + To filter the table and display only those buckets that have a specific value for a field, place your cursor in the filter box, and then add a filter condition for the field. To further refine the results, add filter conditions for additional fields. For more information, see [Filtering your S3 bucket inventory](monitoring-s3-inventory-filter.md).
   + To review data sensitivity statistics and other information for a particular bucket, choose the bucket's name. Then refer to the details panel. For information about these details, see [Reviewing S3 bucket details](discovery-asdd-results-s3-inventory-details.md).
**Tip**  
On the **Bucket details** tab of the panel, you can pivot and drill down on many of the fields. To show buckets that have the same value for a field, choose ![\[The zoom in icon, which is a magnifying glass that has a plus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-plus-sign.png) in the field. To show buckets that have other values for a field, choose ![\[The zoom out icon, which is a magnifying glass that has a minus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-minus-sign.png) in the field.

1. To export data from the table to a CSV file, select the checkbox for each row to export, or select the checkbox in the selection column heading to select all rows. Then choose **Export to CSV** at the top of the page. You can export up to 50,000 rows from the table. 

1. To perform deeper, more immediate analysis of objects in one or more buckets, select the checkbox for each bucket. Then choose **Create job**. For more information, see [Creating a sensitive data discovery job](discovery-jobs-create.md).

# Reviewing data sensitivity details for S3 buckets
<a name="discovery-asdd-results-s3-inventory-details"></a>

As automated sensitive data discovery progresses, you can review detailed results in statistics and other information that Amazon Macie provides about each of your Amazon Simple Storage Service (Amazon S3) buckets. If you're the Macie administrator for an organization, this includes buckets that your member accounts own.

The statistics and information include details that provide insight into the security and privacy of an S3 bucket’s data. They also capture the results of automated sensitive data discovery activities that Macie has performed thus far for a bucket. For example, you can find a list of objects that Macie has analyzed in a bucket. You can also find a breakdown of the types and number of occurrences of sensitive data that Macie has found in a bucket. Note that this data doesn't include the results of sensitive data discovery jobs that you create and run.

Macie automatically recalculates and updates statistics and details for your S3 buckets while it performs automated sensitive data discovery. For example:
+ If Macie doesn't find sensitive data in an S3 object, Macie decreases the bucket's sensitivity score and updates the bucket's sensitivity label as necessary. Macie also adds the object to the list of objects that it selected for analysis.
+ If Macie finds sensitive data in an S3 object, Macie adds those occurrences to the breakdown of sensitive data types that Macie has found in the bucket. Macie also increases the bucket's sensitivity score and updates the bucket's sensitivity label as necessary. In addition, Macie adds the object to the list of objects that it selected for analysis. These tasks are in addition to creating a sensitive data finding for the object.
+ If Macie finds sensitive data in an S3 object that's subsequently changed or deleted, Macie removes sensitive data occurrences for the object from the bucket's breakdown of sensitive data types. Macie also decreases the bucket's sensitivity score and updates the bucket's sensitivity label as necessary. In addition, Macie removes the object from the list of objects that it selected for analysis.
+ If Macie attempts to analyze an S3 object but an issue or error prevents analysis, Macie adds the object to the list of objects that it selected for analysis, and indicates that it wasn't able to analyze the object.

If you're the Macie administrator for an organization or you have a standalone Macie account, you can optionally use these details to assess and adjust certain automated discovery settings for an S3 bucket. For example, you can include or exclude specific types of sensitive data from a bucket's score. For more information, see [Adjusting sensitivity scores for S3 buckets](discovery-asdd-s3bucket-manage.md).

**To review data sensitivity details for an S3 bucket**  
To review data sensitivity and other details for an S3 bucket, you can use the Amazon Macie console or the Amazon Macie API. On the console, the details panel provides centralized access to this information. With the API, you can retrieve and process the data programmatically.

------
#### [ Console ]

Follow these steps to review data sensitivity and other details for an S3 bucket by using the Amazon Macie console.

**To review the details for an S3 bucket**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **S3 buckets**. The **S3 buckets** page displays an interactive map of your bucket inventory. Optionally choose table (![\[The table view button, which is a button that displays three black horizontal lines.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-s3-table-view.png)) at the top of the page to display your inventory in tabular format instead.

   By default, the page doesn't display data for buckets that are currently excluded from automated sensitive data discovery. If you're the Macie administrator for an organization, it also doesn't display data for accounts that automated sensitive data discovery is currently disabled for. To display this data, choose **X** in the **Is monitored by automated discovery** filter token below the filter box.

1. To retrieve the latest bucket metadata from Amazon S3, choose refresh (![\[The refresh button, which is a button that displays an empty blue circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-data.png)) at the top of the page.

1. Choose the bucket whose details you want to review. The details panel displays data sensitivity statistics and other information about the bucket.

The top of the panel shows general information about the bucket: the bucket's name, the account ID for the AWS account that owns the bucket, and the bucket's current sensitivity score. If you're a Macie administrator or you have a standalone Macie account, it also provides options for changing certain automated discovery settings for the bucket. Additional settings and information are organized into the following tabs:

[Sensitivity](#discovery-asdd-results-s3-inventory-sensitivity-details) \$1 [Bucket details](#discovery-asdd-results-s3-inventory-bucket-details) \$1 [Object samples](#discovery-asdd-results-s3-inventory-sample-details) \$1 [Sensitive data discovery](#discovery-asdd-results-s3-inventory-sdd-details)

Individual settings and information on each tab are as follows.

**Sensitivity**  
This tab shows the bucket's current sensitivity score, ranging from *-1* to *100*. For information about the range of sensitivity scores that Macie defines, see [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md).  
The tab also provides a breakdown of the types of sensitive data that Macie has found in the bucket's objects, and the number of occurrences of each type:  
+ **Sensitive data type** – The unique identifier (ID) for the managed data identifier that detected the data, or the name of the custom data identifier that detected the data.

  A managed data identifier's ID describes the type of sensitive data that it's designed to detect—for example, **USA\$1PASSPORT\$1NUMBER** for US passport numbers. For details about each managed data identifier, see [Using managed data identifiers](managed-data-identifiers.md).
+ **Count** – The total number of occurrences of the data that the managed or custom data identifier detected.
+ **Scoring status** – This field appears if you're a Macie administrator or you have a standalone Macie account. It specifies whether occurrences of the data are included or excluded from the bucket's sensitivity score.

  If Macie calculates the bucket's score, you can adjust the calculation by including or excluding specific types of sensitive data from the score: select the checkbox for the identifier that detected the sensitive data to include or exclude, and then choose an option on the **Actions** menu. For more information, see [Adjusting sensitivity scores for S3 buckets](discovery-asdd-s3bucket-manage.md).
If Macie hasn't found sensitive data in objects that the bucket currently stores, this section shows the **No detections found** message.  
Note that the **Sensitivity** tab doesn't include data for objects that were changed or deleted after Macie analyzed them. If objects are changed or deleted after analysis, Macie automatically recalculates and updates the appropriate statistics and data to exclude the objects.

**Bucket details**  
This tab provides details about the bucket's settings, including data security and privacy settings. For example, you can review breakdowns of the bucket’s public access settings, and determine whether the bucket replicates objects or is shared with other AWS accounts.  
Of special note, the **Last updated** field indicates when Macie most recently retrieved metadata from Amazon S3 for the bucket or the bucket’s objects. The **Latest automated discovery run** field indicates when Macie most recently analyzed objects in the bucket while performing automated sensitive data discovery. If this analysis hasn't occurred, a dash (–) appears in this field.  
The tab also provides object-level statistics that can help you assess how much data Macie can analyze in the bucket. It also indicates whether you configured any sensitive data discovery jobs to analyze objects in the bucket. If you have, you can access details about the job that ran most recently and then optionally display any findings that the job produced.  
In certain cases, this tab might not include all the details of a bucket. This can occur if you store more than 10,000 buckets in Amazon S3. Macie maintains complete inventory data for only 10,000 buckets for an account—the 10,000 buckets that were most recently created or changed. Macie can, however, analyze objects in buckets that exceed this quota. To review additional details for the buckets, use Amazon S3.  
For additional details about the information on this tab, see [Reviewing the details of S3 buckets](monitoring-s3-inventory-review.md#monitoring-s3-inventory-view-details).

**Object samples**  
This tab lists objects that Macie selected for analysis while performing automated sensitive data discovery for the bucket. Optionally choose an object's name to open the Amazon S3 console and display the object's properties.  
The list includes data for up to 100 objects. The list is populated based on the value for the **Object sensitivity** field: **Sensitive**, followed by **Not Sensitive**, followed by objects that Macie wasn't able to analyze.  
In the list, the **Object sensitivity** field indicates whether Macie found sensitive data in an object:  
+ **Sensitive** – Macie found at least one occurrence of sensitive data in the object.
+ **Not sensitive** – Macie didn't find sensitive data in the object.
+ **–** (*dash*) – Macie wasn't able to complete its analysis of the object due to an issue or error.
The **Classification result** field indicates whether Macie was able to analyze an object:  
+ **Complete** – Macie completed its analysis of the object.
+ **Partial** – Macie analyzed only a subset of data in the object due to an issue or error. For example, the object is an archive file that contains files in an unsupported format.
+ **Skipped** – Macie wasn't able to analyze any data in the object due to an issue or error. For example, the object is encrypted with a key that Macie isn't allowed to use.
Note that the list doesn't include objects that were changed or deleted after Macie analyzed or attempted to analyze them. Macie automatically removes an object from the list if the object is subsequently changed or deleted.

**Sensitive data discovery**  
This tab provides aggregated, automated sensitive data discovery statistics for the bucket:  
+ **Analyzed bytes** – The total amount of data, in bytes, that Macie has analyzed in the bucket.
+ **Classifiable bytes** – The total storage size, in bytes, of all the objects that Macie can analyze in the bucket. These objects use supported Amazon S3 storage classes and they have file name extensions for supported file or storage formats. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).
+ **Total detections** – The total number of occurrences of sensitive data that Macie has found in the bucket. This includes occurrences that are currently suppressed by the sensitivity scoring settings for the bucket.
The **Objects analyzed** chart indicates the total number of objects that Macie has analyzed in the bucket. It also provides a visual representation of the number of objects that Macie did or didn't find sensitive data in. The legend below the chart shows a breakdown of these results:  
+ **Sensitive objects** (*red*) – The total number of objects that Macie found at least one occurrence of sensitive data in.
+ **Not sensitive objects** (*blue*) – The total number of objects that Macie didn't find sensitive data in.
+ **Objects skipped** (*dark gray*) – The total number of objects that Macie wasn't able to analyze due to an issue or error.
The area below the chart's legend provides a breakdown of cases where Macie wasn't able to analyze objects because certain types of permissions issues or cryptographic errors occurred:  
+ **Skipped: Invalid encryption** – The total number of objects that are encrypted with customer-provided keys. Macie can't access these keys.
+ **Skipped: Invalid KMS** – The total number of objects that are encrypted with AWS Key Management Service (AWS KMS) keys that are no longer available. These objects are encrypted with AWS KMS keys that were disabled, are scheduled for deletion, or were deleted. Macie can't use these keys.
+ **Skipped: Permission denied** – The total number of objects that Macie isn't allowed to access due to the permissions settings for the object, or the permissions settings for the key that was used to encrypt the object.
For details about these and other types of issues and errors that can occur, see [Remediating coverage issues](discovery-coverage-remediate.md). If you remediate the issues and errors, you can increase coverage of the bucket's data during subsequent analysis cycles.  
Statistics on the **Sensitive data discovery** tab don't include data for objects that were changed or deleted after Macie analyzed or attempted to analyze them. If objects are changed or deleted after Macie analyzes or attempts to analyze them, Macie automatically recalculates these statistics to exclude the objects.

------
#### [ API ]

To retrieve data sensitivity and other details for an S3 bucket programmatically, you have several options. The appropriate option depends on the details that you want to retrieve:
+ To retrieve a bucket's current sensitivity score and aggregated analysis statistics, use the [GetResourceProfile](https://docs.aws.amazon.com/macie/latest/APIReference/resource-profiles.html) operation. Or, if you're using the AWS Command Line Interface (AWS CLI), run the [get-resource-profile](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-resource-profile.html) command. The statistics include data such as the number of objects that Macie has analyzed, and the number of objects that Macie has found sensitive data in.
+ To retrieve a breakdown of the types and amount of sensitive data that Macie has found in a bucket, use the [ListResourceProfileDetections](https://docs.aws.amazon.com/macie/latest/APIReference/resource-profiles-detections.html) operation. Or, if you're using the AWS CLI, run the [list-resource-profile-detections](https://docs.aws.amazon.com/cli/latest/reference/macie2/list-resource-profile-detections.html) command. The breakdown also provides details about the managed or custom data identifier that detected each type of sensitive data.
+ To retrieve a list of up to 100 objects that Macie selected from a bucket for analysis, use the [ListResourceProfileArtifacts](https://docs.aws.amazon.com/macie/latest/APIReference/resource-profiles-artifacts.html) operation. Or, if you're using the AWS CLI, run the [list-resource-profile-artifacts](https://docs.aws.amazon.com/cli/latest/reference/macie2/list-resource-profile-artifacts.html) command. For each object, the list specifies: the Amazon Resource Name (ARN) of the object, whether Macie completed its analysis of the object; and, whether Macie found sensitive data in the object.

In your request, use the `resourceArn` parameter to specify the ARN of the bucket to retrieve the details for. If you're using the AWS CLI, use the `resource-arn` parameter to specify the ARN.

For additional details about an S3 bucket, such as the bucket's public access settings, use the [DescribeBuckets](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) operation. If you're using the AWS CLI, run the [describe-buckets](https://docs.aws.amazon.com/cli/latest/reference/macie2/describe-buckets.html) command to retrieve these details. In your request, optionally use filter criteria to specify the name of the bucket. For more information and examples, see [Filtering your S3 bucket inventory](monitoring-s3-inventory-filter.md).

The following examples show how to use the AWS CLI to retrieve data sensitivity details for an S3 bucket. This first example retrieves the current sensitivity score and aggregated analysis statistics for a bucket.

```
$ aws macie2 get-resource-profile --resource-arn arn:aws:s3:::amzn-s3-demo-bucket
```

Where *arn:aws:s3:::amzn-s3-demo-bucket* is the ARN of the bucket. If the request succeeds, you receive output similar to the following:

```
{
    "profileUpdatedAt": "2024-11-21T15:44:46+00:00",
    "sensitivityScore": 83,
    "sensitivityScoreOverridden": false,
    "statistics": {
        "totalBytesClassified": 933599,
        "totalDetections": 3641,
        "totalDetectionsSuppressed": 0,
        "totalItemsClassified": 111,
        "totalItemsSensitive": 84,
        "totalItemsSkipped": 1,
        "totalItemsSkippedInvalidEncryption": 0,
        "totalItemsSkippedInvalidKms": 0,
        "totalItemsSkippedPermissionDenied": 0
    }
}
```

The next example retrieves a breakdown of the types of sensitive data that Macie has found in an S3 bucket, and the number of occurrences of each type. The breakdown also specifies which managed data identifier or custom data identifier detected the data. It also indicates whether the occurrences are currently excluded (`suppressed`) from the bucket's sensitivity score, if the score is calculated automatically by Macie.

```
$ aws macie2 list-resource-profile-detections --resource-arn arn:aws:s3:::amzn-s3-demo-bucket
```

Where *arn:aws:s3:::amzn-s3-demo-bucket* is the ARN of the bucket. If the request succeeds, you receive output similar to the following:

```
{
    "detections": [
        {
            "count": 8,
            "id": "AWS_CREDENTIALS",
            "name": "AWS_CREDENTIALS",
            "suppressed": false,
            "type": "MANAGED"
        },
        {
            "count": 1194,
            "id": "CREDIT_CARD_NUMBER",
            "name": "CREDIT_CARD_NUMBER",
            "suppressed": false,
            "type": "MANAGED"
        },
        {
            "count": 1194,
            "id": "CREDIT_CARD_SECURITY_CODE",
            "name": "CREDIT_CARD_SECURITY_CODE",
            "suppressed": false,
            "type": "MANAGED"
        },
        {
            "arn": "arn:aws:macie2:us-east-1:123456789012:custom-data-identifier/3293a69d-4a1e-4a07-8715-208ddexample",
            "count": 8,
            "id": "3293a69d-4a1e-4a07-8715-208ddexample",
            "name": "Employee IDs with keyword",
            "suppressed": false,
            "type": "CUSTOM"
        },
        {
            "count": 1237,
            "id": "USA_SOCIAL_SECURITY_NUMBER",
            "name": "USA_SOCIAL_SECURITY_NUMBER",
            "suppressed": false,
            "type": "MANAGED"
        }
    ]
}
```

This example retrieves a list of objects that Macie selected from an S3 bucket for analysis. For each object, the list also indicates whether Macie completed its analysis of the object, and whether Macie found sensitive data in the object.

```
$ aws macie2 list-resource-profile-artifacts --resource-arn arn:aws:s3:::amzn-s3-demo-bucket
```

Where *arn:aws:s3:::amzn-s3-demo-bucket* is the ARN of the bucket. If the request succeeds, you receive output similar to the following:

```
{
    "artifacts": [
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object1.csv",
            "classificationResultStatus": "COMPLETE",
            "sensitive": true
        },
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object2.xlsx",
            "classificationResultStatus": "COMPLETE",
            "sensitive": true
        },
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object3.json",
            "classificationResultStatus": "COMPLETE",
            "sensitive": true
        },
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object4.pdf",
            "classificationResultStatus": "COMPLETE",
            "sensitive": true
        },
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object5.zip",
            "classificationResultStatus": "PARTIAL",
            "sensitive": true
        },
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object6.vssx",
            "classificationResultStatus": "SKIPPED"
        }
    ]
}
```

------

# Analyzing findings from automated sensitive data discovery
<a name="discovery-asdd-results-s3-findings"></a>

When Amazon Macie performs automated sensitive data discovery, it creates a sensitive data finding for each Amazon Simple Storage Service (Amazon S3) object that it finds sensitive data in. A *sensitive data finding* is a detailed report of sensitive data that Macie found in an S3 object. A finding doesn't include the sensitive data that Macie found. Instead, it provides information that you can use for further investigation and remediation as necessary.

Each sensitive data finding provides a severity rating and details such as:
+ The date and time when Macie found the sensitive data.
+ The category and types of sensitive data that Macie found.
+ The number of occurrences of each type of sensitive data that Macie found.
+ How Macie found the sensitive data, automated sensitive data discovery or a sensitive data discovery job.
+ The name, public access settings, encryption type, and other information about the affected S3 bucket and object.

Depending on the affected S3 object's file type or storage format, the details can also include the location of as many as 15 occurrences of the sensitive data that Macie found.

Macie stores sensitive data findings for 90 days. You can access them by using the Amazon Macie console or the Amazon Macie API. You can also monitor and process findings by using other applications, services, and systems. For more information, see [Reviewing and analyzing findings](findings.md).

**To analyze findings produced by automated sensitive data discovery**  
To identify and analyze findings that Macie created while performing automated sensitive data discovery, you can filter your findings. With filters, you use specific attributes of findings to build custom views and queries for findings. To filter findings, you can use the Amazon Macie console or submit queries programmatically using the Amazon Macie API. For more information, see [Filtering findings](findings-filter-overview.md).

**Note**  
If your account is part of an organization that centrally manages multiple Macie accounts, only the Macie administrator for your organization has direct access to findings that automated sensitive data discovery produces for accounts in your organization. If you have a member account and want to review the findings for your account, contact your Macie administrator.

------
#### [ Console ]

Follow these steps to identify and analyze the findings by using the Amazon Macie console.

**To analyze findings produced by automated discovery**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **Findings**.

1. To display findings that were suppressed by a [suppression rule](findings-suppression.md), change the **Finding status** setting. Choose **All** to display both suppressed and unsuppressed findings, or choose **Archived** to display only suppressed findings. To then hide suppressed findings again, choose **Current**.

1. Place your cursor in the **Filter criteria** box. In the list of fields that appears, choose **Origin type**.

   This field specifies how Macie found the sensitive data that produced a finding, automated sensitive data discovery or a sensitive data discovery job. To find this field in the list of filter fields, you can browse the complete list, or enter part of the field's name to narrow the list of fields.

1. Select **AUTOMATED\$1SENSITIVE\$1DATA\$1DISCOVERY** as the value for the field, and then choose **Apply**. Macie applies the filter criteria and adds the condition to a filter token in the **Filter criteria** box.

1. To refine the results, add filter conditions for additional fields—for example, **Created at** for the time range when a finding was created, **S3 bucket name** for the name of an affected bucket, or **Sensitive data detection type** for the type of sensitive that was detected and produced a finding.

If you want to subsequently use this set of conditions again, you can save it as a filter rule. To do this, choose **Save rule** in the **Filter criteria** box. Then enter a name and, optionally, a description for the rule. When you finish, choose **Save**.

------
#### [ API ]

To identify and analyze the findings programmatically, specify filter criteria in queries that you submit using the [ListFindings](https://docs.aws.amazon.com/macie/latest/APIReference/findings.html) or [GetFindingStatistics](https://docs.aws.amazon.com/macie/latest/APIReference/findings-statistics.html) operation of the Amazon Macie API. The **ListFindings** operation returns an array of finding IDs, one ID for each finding that matches the filter criteria. You can then use those IDs to retrieve the details of each finding. The **GetFindingStatistics** operation returns aggregated statistical data about all the findings that match the filter criteria, grouped by a field that you specify in your request. For more information about filtering findings programmatically, see [Filtering findings](findings-filter-overview.md).

In the filter criteria, include a condition for the `originType` field. This field specifies how Macie found the sensitive data that produced a finding, automated sensitive data discovery or a sensitive data discovery job. If automated sensitive data discovery produced a finding, the value for this field is `AUTOMATED_SENSITIVE_DATA_DISCOVERY`.

To identify and analyze the findings by using the AWS Command Line Interface (AWS CLI), run the [list-findings](https://docs.aws.amazon.com/cli/latest/reference/macie2/list-findings.html) or [get-finding-statistics](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-finding-statistics.html) command. The following examples use the **list-findings** command to retrieve finding IDs for all high-severity findings that automated sensitive data discovery produced in the current AWS Region.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws macie2 list-findings \
--finding-criteria '{"criterion":{"classificationDetails.originType":{"eq":["AUTOMATED_SENSITIVE_DATA_DISCOVERY"]},"severity.description":{"eq":["High"]}}}'
```

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

```
C:\> aws macie2 list-findings ^
--finding-criteria={\"criterion\":{\"classificationDetails.originType\":{\"eq\":[\"AUTOMATED_SENSITIVE_DATA_DISCOVERY\"]},\"severity.description\":{\"eq\":[\"High\"]}}}
```

Where:
+ `classificationDetails.originType` specifies the JSON name of the **Origin type** field, and:
  + `eq` specifies the *equals* operator.
  + `AUTOMATED_SENSITIVE_DATA_DISCOVERY` is an enumerated value for the field.
+ *`severity.description`* specifies the JSON name of the **Severity** field, and:
  + *`eq`* specifies the *equals* operator.
  + *`High`* is an enumerated value for the field.

If the request succeeds, Macie returns a `findingIds` array. The array lists the unique identifier for each finding that matches the filter criteria, as shown in the following example.

```
{
    "findingIds": [
        "1f1c2d74db5d8caa76859ec52example",
        "6cfa9ac820dd6d55cad30d851example",
        "702a6fd8750e567d1a3a63138example",
        "826e94e2a820312f9f964cf60example",
        "274511c3fdcd87010a19a3a42example"
    ]
}
```

If no findings match the filter criteria, Macie returns an empty `findingIds` array.

```
{
    "findingIds": []
}
```

------

# Accessing discovery results from automated sensitive data discovery
<a name="discovery-asdd-results-s3-sddrs"></a>

When Amazon Macie performs automated sensitive data discovery, it creates an analysis record for each Amazon Simple Storage Service (Amazon S3) object that it selects for analysis. These records, referred to as *sensitive data discovery results*, log details about the analysis that Macie performs on individual S3 objects. This includes objects that Macie doesn't find sensitive data in, and objects that Macie can't analyze due to errors or issues such as permissions settings or use of an unsupported file or storage format. Sensitive data discovery results provide you with analysis records that can be helpful for data privacy and protection audits or investigations.

If Macie finds sensitive data in an S3 object, the sensitive data discovery result provides information about the sensitive data that Macie found. The information includes the same types of details that a sensitive data finding provides. It provides additional information too, such as the location of as many as 1,000 occurrences of each type of sensitive data that Macie found. For example: 
+ The column and row number for a cell or field in a Microsoft Excel workbook, CSV file, or TSV file
+ The path to a field or array in a JSON or JSON Lines file
+ The line number for a line in a non-binary text file other than a CSV, JSON, JSON Lines, or TSV file—for example, an HTML, TXT, or XML file
+ The page number for a page in an Adobe Portable Document Format (PDF) file
+ The record index and the path to a field in a record in an Apache Avro object container or Apache Parquet file

If the affected S3 object is an archive file, such as a .tar or .zip file, the sensitive data discovery result also provides detailed location data for occurrences of sensitive data in individual files that Macie extracted from the archive. Macie doesn’t include this information in sensitive data findings for archive files. To report location data, sensitive data discovery results use a [standardized JSON schema](findings-locate-sd-schema.md).

**Note**  
As is the case with sensitive data findings, sensitive data discovery results don't include sensitive data that Macie finds in S3 objects. Instead, they provide analysis details that can be helpful for audits or investigations.

Macie stores your sensitive data discovery results for 90 days. You can’t access them directly on the Amazon Macie console or with the Amazon Macie API. Instead, you configure Macie to encrypt and store them in an S3 bucket. The bucket can serve as a definitive, long-term repository for all of your sensitive data discovery results. To determine where this repository is for your account, choose **Discovery results** in the navigation pane on the Amazon Macie console. To do this programmatically, use the [GetClassificationExportConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/classification-export-configuration.html) operation of the Amazon Macie API. If you haven't configured this repository for your account, see [Storing and retaining sensitive data discovery results](discovery-results-repository-s3.md) to learn how.

After you configure Macie to store your sensitive data discovery results in an S3 bucket, Macie writes the results to JSON Lines (.jsonl) files, and it encrypts and adds those files to the bucket as GNU Zip (.gz) files. For automated sensitive data discovery, Macie adds the files to a folder named `automated-sensitive-data-discovery` in the bucket. You can then optionally access and query the results in that folder. If your account is part of an organization that centrally manages multiple Macie accounts, Macie adds the files to the `automated-sensitive-data-discovery` folder in the bucket for your Macie administrator's account.

Sensitive data discovery results adhere to a standardized schema. This can help you query, monitor, and process them by using other applications, services, and systems. For a detailed, instructional example of how you might query and use these results, see the following blog post on the *AWS Security Blog*: [How to query and visualize Macie sensitive data discovery results with Amazon Athena and Amazon Quick](https://aws.amazon.com/blogs/security/how-to-query-and-visualize-macie-sensitive-data-discovery-results-with-athena-and-quicksight/). For samples of Athena queries that you can use to analyze the results, visit the [Amazon Macie Results Analytics repository](https://github.com/aws-samples/amazon-macie-results-analytics) on GitHub. This repository also provides instructions for configuring Athena to retrieve and decrypt your results, and scripts for creating tables for the results.

# Assessing automated sensitive data discovery coverage
<a name="discovery-coverage"></a>

As automated sensitive data discovery progresses for your account or organization, Amazon Macie provides statistics and details to help you assess and monitor its coverage of your Amazon Simple Storage Service (Amazon S3) data estate. With this data, you can check the status of automated sensitive data discovery for your data estate overall and individual S3 buckets within it. You can also identify issues that prevented Macie from analyzing objects in specific buckets. If you remediate the issues, you can increase coverage of your Amazon S3 data during subsequent analysis cycles.

Coverage data provides a snapshot of the current status of automated sensitive data discovery for your S3 general purpose buckets in the current AWS Region. If you're the Macie administrator for an organization, this includes buckets that your member accounts own. For each bucket, the data indicates whether issues occurred when Macie attempted to analyze objects in the bucket. If issues occurred, the data indicates the nature of each issue and, in certain cases, the number of occurrences. The data is updated as automated sensitive data discovery progresses each day. If Macie analyzes or attempts to analyze one or more objects in a bucket during a daily analysis cycle, Macie updates coverage and other data to reflect the results.

For certain types of issues, you can review the data in aggregate for all of your S3 general purpose buckets and optionally drill down for additional details about each bucket. For example, coverage data can help you quickly identify all the buckets that Macie isn't allowed to access for your account. Coverage data also reports object-level issues that occurred. These issues, referred to as *classification errors*, prevented Macie from analyzing specific objects in a bucket. For example, you can determine how many objects Macie couldn't analyze in a bucket because the objects are encrypted with an AWS Key Management Service (AWS KMS) key that's no longer available.

If you use the Amazon Macie console to review coverage data, your view of the data includes guidance for remediating each type of issue. Subsequent topics in this section also provide remediation guidance for each type.

**Topics**
+ [Reviewing coverage data](discovery-coverage-review.md)
+ [Remediating coverage issues](discovery-coverage-remediate.md)

# Reviewing coverage data for automated sensitive data discovery
<a name="discovery-coverage-review"></a>

To review and assess coverage by automated sensitive data discovery, you can use the Amazon Macie console or the Amazon Macie API. Both the console and the API provide data that indicates the current status of the analyses for your Amazon Simple Storage Service (Amazon S3) general purpose buckets in the current AWS Region. The data includes information about issues that create gaps in the analyses:
+ Buckets that Macie isn't allowed to access. Macie can't analyze any objects in these buckets. The buckets' permissions settings prevent Macie from accessing the buckets and the buckets' objects.
+ Buckets that don't store any classifiable objects. Macie can't analyze any objects in these buckets. All the objects use Amazon S3 storage classes that Macie doesn't support, or they have file name extensions for file or storage formats that Macie doesn't support. 
+ Buckets that Macie hasn’t been able to analyze yet due to object-level classification errors. Macie attempted to analyze one or more objects in these buckets. However, Macie couldn't analyze the objects due to issues with object-level permissions settings, object content, or quotas.

Coverage data is updated as automated sensitive data discovery progresses each day. If you're the Macie administrator for an organization, the data includes information for S3 buckets that your member accounts own.

**Note**  
Coverage data doesn't explicitly include results for sensitive data discovery jobs that you create and run. However, remediating coverage issues that affect automated sensitive data discovery is likely to also increase coverage by jobs that you subsequently run. To assess coverage for a job, [review the job's results](discovery-jobs-manage-results.md). If a job's log events or other results indicate coverage issues, [remediation guidance for automated sensitive data discovery](discovery-coverage-remediate.md) can help you address some of the issues.

**To review coverage data for automated sensitive data discovery**  
To review coverage data for automated sensitive data discovery, you can use the Amazon Macie console or the Amazon Macie API. On the console, a single page provides a unified view of coverage data for all of your S3 general purpose buckets in the current Region. This includes a rollup of issues that recently occurred for each bucket. The page also provides options for reviewing groups of data by issue type. To track your investigation of issues for specific buckets, you can export data from the page to a comma-separated values (CSV) file.

------
#### [ Console ]

Follow these steps to review coverage data by using the Amazon Macie console.

**To review coverage data**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **Resource coverage**.

1. On the **Resource coverage** page, choose the tab for the type of coverage data that you want to review:
   + **All** – Lists all the buckets for your account. For each bucket, the **Issues** field indicates whether issues prevented Macie from analyzing objects in the bucket. If the value for this field is **None**, Macie has analyzed at least one of the bucket's objects or Macie hasn't attempted to analyze any of the bucket's objects yet. If there are issues, this field indicates the nature of the issues and how to remediate them. For object-level classification errors, it might also indicate (in parentheses) the number of occurrences of the error.
   + **Access denied** – Lists buckets that Macie isn't allowed to access. The permissions settings for these buckets prevent Macie from accessing the buckets and the buckets' objects. Consequently, Macie can't analyze any objects in the buckets. 
   + **Classification error** – Lists buckets that Macie hasn’t analyzed yet due to object-level classification errors—issues with object-level permissions settings, object content, or quotas. For each bucket, the **Issues** field indicates the nature of each type of error that occurred and prevented Macie from analyzing an object in the bucket. It also indicates how to remediate each type of error. Depending on the error, it might also indicate (in parentheses) the number of occurrences of the error.
   + **Unclassifiable** – Lists buckets that Macie can't analyze because they don't store any classifiable objects. All the objects in these buckets use unsupported Amazon S3 storage classes or they have file name extensions for unsupported file or storage formats. Consequently, Macie can't analyze any objects in the buckets. 

1. To drill down and review the supporting data for a bucket, choose the bucket's name. Then refer to the details panel for statistics and other information about the bucket.

1. To export the table to a CSV file, choose **Export to CSV** at the top of the page. The resulting CSV file contains a subset of metadata for each bucket in the table, for up to 50,000 buckets. The file includes a **Coverage issues** field. The value for this field indicates whether issues prevented Macie from analyzing objects in the bucket and, if so, the nature of the issues.

------
#### [ API ]

To review coverage data programmatically, specify filter criteria in queries that you submit using the [DescribeBuckets](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) operation of the Amazon Macie API. This operation returns an array of objects. Each object contains statistical data and other information about an S3 general purpose bucket that matches the filter criteria.

In the filter criteria, include a condition for the type of coverage data that you want to review:
+ To identify buckets that Macie isn't allowed to access due to the buckets' permissions settings, include a condition where the value for the `errorCode` field equals `ACCESS_DENIED`.
+ To identify buckets that Macie is allowed to access and hasn't analyzed yet, include conditions where the value for the `sensitivityScore` field equals `50` and the value for the `errorCode` field doesn't equal `ACCESS_DENIED`.
+ To identify buckets that Macie can't analyze because all the buckets' objects use unsupported storage classes or formats, include conditions where the value for the `classifiableSizeInBytes` field equals `0` and the value for the `sizeInBytes` field is greater than `0`.
+ To identify buckets for which Macie has analyzed at least one object, include conditions where the value for the `sensitivityScore` field falls within the range of 1–99 but is not equal to `50`. To also include buckets where you manually assigned the maximum score, the range should be 1–100.
+ To identify buckets that Macie hasn’t analyzed yet due to object-level classification errors, include a condition where the value for the `sensitivityScore` field equals `-1`. To then review a breakdown of the types and number of errors that occurred for a particular bucket, use the [GetResourceProfile](https://docs.aws.amazon.com/macie/latest/APIReference/resource-profiles.html) operation.

If you're using the AWS Command Line Interface (AWS CLI), specify filter criteria in queries that you submit by running the [describe-buckets](https://docs.aws.amazon.com/cli/latest/reference/macie2/describe-buckets.html) command. To review a breakdown of the types and number of errors that occurred for a particular S3 bucket, if any, run the [get-resource-profile](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-resource-profile.html) command.

For example, the following AWS CLI commands use filter criteria to retrieve the details of all the S3 buckets that Macie isn't allowed to access due to the buckets' permissions settings.

This example is formatted for Linux, macOS, or Unix:

```
$ aws macie2 describe-buckets --criteria '{"errorCode":{"eq":["ACCESS_DENIED"]}}'
```

This example is formatted for Microsoft Windows:

```
C:\> aws macie2 describe-buckets --criteria={\"errorCode\":{\"eq\":[\"ACCESS_DENIED\"]}}
```

If your request succeeds, Macie returns a `buckets` array. The array contains an object for each S3 bucket that’s in the current AWS Region and matches the filter criteria.

If no S3 buckets match the filter criteria, Macie returns an empty `buckets` array.

```
{
    "buckets": []
}
```

For more information about specifying filter criteria in queries, including examples of common criteria, see [Filtering your S3 bucket inventory](monitoring-s3-inventory-filter.md).

------

For detailed information that can help you address coverage issues, see [Remediating coverage issues for automated sensitive data discovery](discovery-coverage-remediate.md).

# Remediating coverage issues for automated sensitive data discovery
<a name="discovery-coverage-remediate"></a>

As automated sensitive data discovery progresses each day, Amazon Macie provides statistics and details to help you assess and monitor its coverage of your Amazon Simple Storage Service (Amazon S3) data estate. By [reviewing coverage data](discovery-coverage-review.md), you can check the status of automated sensitive data discovery for your data estate overall and individual S3 buckets within it. You can also identify issues that prevented Macie from analyzing objects in specific buckets. If you remediate the issues, you can increase coverage of your Amazon S3 data during subsequent analysis cycles.

Macie reports several types of issues that reduce coverage of your Amazon S3 data by automated sensitive data discovery. This includes bucket-level issues that prevent Macie from analyzing any objects in an S3 bucket. It also includes object-level issues. These issues, referred to as *classification errors*, prevented Macie from analyzing specific objects in a bucket. The following information can help you investigate and remediate the issues.

**Topics**
+ [Access denied](#discovery-issues-access-denied)
+ [Classification error: Invalid content](#discovery-issues-invalid-content)
+ [Classification error: Invalid encryption](#discovery-issues-classification-error-invalid-encryption)
+ [Classification error: Invalid KMS key](#discovery-issues-classification-error-invalid-key)
+ [Classification error: Permission denied](#discovery-issues-classification-error-permission-denied)
+ [Unclassifiable](#discovery-issues-unclassifiable)

**Tip**  
To investigate object-level classification errors for an S3 bucket, start by reviewing the list of object samples for the bucket. This list indicates which objects Macie analyzed or attempted to analyze in the bucket, for up to 100 objects.   
To review the list on the Amazon Macie console, choose the bucket on the **S3 buckets** page, and then choose the **Object samples** tab in the details panel. To review the list programmatically, use the [ListResourceProfileArtifacts](https://docs.aws.amazon.com/macie/latest/APIReference/resource-profiles-artifacts.html) operation of the Amazon Macie API. If the status of the analysis for an object is **Skipped** (`SKIPPED`), the object might have caused the error.

## Access denied
<a name="discovery-issues-access-denied"></a>

This issue indicates that an S3 bucket's permissions settings prevent Macie from accessing the bucket and the bucket’s objects. Macie can't retrieve and analyze any objects in the bucket.

**Details**  
The most common cause for this type of issue is a restrictive bucket policy. A *bucket policy* is a resource-based AWS Identity and Access Management (IAM) policy that specifies which actions a principal (user, account, service, or other entity) can perform on an S3 bucket, and the conditions under which a principal can perform those actions. A *restrictive bucket policy* uses explicit `Allow` or `Deny` statements that grant or restrict access to a bucket's data based on specific conditions. For example, a bucket policy might contain an `Allow` or `Deny` statement that denies access to a bucket unless specific source IP addresses are used to access the bucket.  
If the bucket policy for an S3 bucket contains an explicit `Deny` statement with one or more conditions, Macie might not be allowed to retrieve and analyze the bucket’s objects to detect sensitive data. Macie can only provide a subset of information about the bucket, such as the bucket's name and creation date.

**Remediation guidance**  
To remediate this issue, update the bucket policy for the S3 bucket. Ensure that the policy allows Macie to access the bucket and the bucket’s objects. To allow this access, add a condition for the Macie service-linked role (`AWSServiceRoleForAmazonMacie`) to the policy. The condition should exclude the Macie service-linked role from matching the `Deny` restriction in the policy. It can do this by using the `aws:PrincipalArn` global condition context key and the Amazon Resource Name (ARN) of the Macie service-linked role for your account.  
If you update the bucket policy and Macie gains access to the S3 bucket, Macie will detect the change. When this happens, Macie will update statistics, inventory data, and other information that it provides about your Amazon S3 data. In addition, the bucket's objects will be a higher priority for analysis during a subsequent analysis cycle.

**Additional reference**  
For more information about updating an S3 bucket policy to allow Macie to access a bucket, see [Allowing Macie to access S3 buckets and objects](monitoring-restrictive-s3-buckets.md). For information about using bucket policies to control access to buckets, see [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) and [How Amazon S3 authorizes a request](https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-s3-evaluates-access-control.html) in the *Amazon Simple Storage Service User Guide*.

## Classification error: Invalid content
<a name="discovery-issues-invalid-content"></a>

This type of classification error occurs if Macie attempts to analyze an object in an S3 bucket and the object is malformed or the object contains content that exceeds a sensitive data discovery quota. Macie can't analyze the object.

**Details**  
This error typically occurs because an S3 object is a malformed or corrupted file. Consequently, Macie can't parse and analyze all the data in the file.  
This error can also occur if analysis of an S3 object would exceed a sensitive data discovery quota for an individual file. For example, the storage size of the object exceeds the size quota for that type of file.  
For either case, Macie can't complete its analysis of the S3 object and the status of the analysis for the object is **Skipped** (`SKIPPED`).

**Remediation guidance**  
To investigate this error, download the S3 object and check the formatting and contents of the file. Also assess the contents of the file against Macie quotas for sensitive data discovery.  
If you don't remediate this error, Macie will try to analyze other objects in the S3 bucket. If Macie analyzes another object successfully, Macie will update coverage data and other information that it provides about the bucket.

**Additional reference**  
For a list of sensitive data discovery quotas, including the quotas for certain types of files, see [Quotas for Macie](macie-quotas.md). For information about how Macie updates sensitivity scores and other information that it provides about S3 buckets, see [How automated sensitive data discovery works](discovery-asdd-how-it-works.md).

## Classification error: Invalid encryption
<a name="discovery-issues-classification-error-invalid-encryption"></a>

This type of classification error occurs if Macie attempts to analyze an object in an S3 bucket and the object is encrypted with a customer-provided key. The object uses SSE-C encryption, which means that Macie can't retrieve and analyze the object.

**Details**  
Amazon S3 supports multiple encryption options for S3 objects. For most of these options, Macie can decrypt an object by using the Macie service-linked role for your account. However, this depends on the type of encryption that was used.  
For Macie to decrypt an S3 object, the object must be encrypted with a key that Macie can access and is allowed to use. If an object is encrypted with a customer-provided key, Macie can't provide the requisite key material to retrieve the object from Amazon S3. Consequently, Macie can't analyze the object and the status of the analysis for the object is **Skipped** (`SKIPPED`).

**Remediation guidance**  
To remediate this error, encrypt S3 objects with Amazon S3 managed keys or AWS Key Management Service (AWS KMS) keys. If you prefer to use AWS KMS keys, the keys can be AWS managed KMS keys, or customer managed KMS keys that Macie is allowed to use.  
To encrypt existing S3 objects with keys that Macie can access and use, you can change the encryption settings for the objects. To encrypt new objects with keys that Macie can access and use, change the default encryption settings for the S3 bucket. Also ensure that the bucket's policy doesn't require new objects to be encrypted with a customer-provided key.  
If you don't remediate this error, Macie will try to analyze other objects in the S3 bucket. If Macie analyzes another object successfully, Macie will update coverage data and other information that it provides about the bucket.

**Additional reference**  
For information about requirements and options for using Macie to analyze encrypted S3 objects, see [Analyzing encrypted Amazon S3 objects](discovery-supported-encryption-types.md). For information about encryption options and settings for S3 buckets, see [Protecting data with encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html) and [Setting default server-side encryption behavior for S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html) in the *Amazon Simple Storage Service User Guide*.

## Classification error: Invalid KMS key
<a name="discovery-issues-classification-error-invalid-key"></a>

This type of classification error occurs if Macie attempts to analyze an object in an S3 bucket and the object is encrypted with an AWS Key Management Service (AWS KMS) key that's no longer available. Macie can't retrieve and analyze the object.

**Details**  
AWS KMS provides options for disabling and deleting customer managed AWS KMS keys. If an S3 object is encrypted with a KMS key that is disabled, is scheduled for deletion, or was deleted, Macie can't retrieve and decrypt the object. Consequently, Macie can't analyze the object and the status of the analysis for the object is **Skipped** (`SKIPPED`). For Macie to analyze an encrypted object, the object must be encrypted with a key that Macie can access and is allowed to use.

**Remediation guidance**  
To remediate this error, re-enable the applicable AWS KMS key or cancel the scheduled deletion of the key, depending on the current status of the key. If the applicable key was already deleted, this error cannot be remediated.   
To determine which AWS KMS key was used to encrypt an S3 object, you can start by using Macie to review the server-side encryption settings for the S3 bucket. If the default encryption settings for the bucket are configured to use a KMS key, the bucket's details indicate which key is used. You can then check the status of that key. Alternatively, you can use Amazon S3 to review the encryption settings for the bucket and individual objects in the bucket.  
If you don't remediate this error, Macie will try to analyze other objects in the S3 bucket. If Macie analyzes another object successfully, Macie will update coverage data and other information that it provides about the bucket.

**Additional reference**  
For information about using Macie to review the server-side encryption settings for an S3 bucket, see [Reviewing the details of S3 buckets](monitoring-s3-inventory-review.md#monitoring-s3-inventory-view-details). For information about re-enabling an AWS KMS key or canceling the scheduled deletion of a key, see [Enabling and disabling keys](https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html) and [Deleting keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide*.

## Classification error: Permission denied
<a name="discovery-issues-classification-error-permission-denied"></a>

This type of classification error occurs if Macie attempts to analyze an object in an S3 bucket and Macie can't retrieve or decrypt the object due to the permissions settings for the object or the permissions settings for the key that was used to encrypt the object. Macie can't retrieve and analyze the object.

**Details**  
This error typically occurs because an S3 object is encrypted with a customer managed AWS Key Management Service (AWS KMS) key that Macie isn’t allowed to use. If an object is encrypted with a customer managed AWS KMS key, the key's policy must allow Macie to decrypt data by using the key.  
This error can also occur if Amazon S3 permissions settings prevent Macie from retrieving an S3 object. The bucket policy for the S3 bucket might restrict access to specific bucket objects or allow only certain principals (users, accounts, services, or other entities) to access the objects. Or the access control list (ACL) for an object might restrict access to the object. Consequently, Macie might not be allowed to access the object.  
For any of the preceding cases, Macie can't retrieve and analyze the object, and the status of the analysis for the object is **Skipped** (`SKIPPED`).

**Remediation guidance**  
To remediate this error, determine whether the S3 object is encrypted with a customer managed AWS KMS key. If it is, ensure that the key's policy allows the Macie service-linked role (`AWSServiceRoleForAmazonMacie`) to decrypt data with the key. How you allow this access depends on whether the account that owns the AWS KMS key also owns the S3 bucket that stores the object. If the same account owns the KMS key and the bucket, a user of the account has to update the key's policy. If one account owns the KMS key and a different account owns the bucket, a user of the account that owns the key has to allow cross-account access to the key.  
You can automatically generate a list of all the customer managed AWS KMS keys that Macie needs to access to analyze objects in the S3 buckets for your account. To do this, run the AWS KMS Permission Analyzer script, which is available from the [Amazon Macie Scripts](https://github.com/aws-samples/amazon-macie-scripts) repository on GitHub. The script can also generate an additional script of AWS Command Line Interface (AWS CLI) commands. You can optionally run those commands to update the requisite configuration settings and policies for KMS keys that you specify.
If Macie is already allowed to use the applicable AWS KMS key or the S3 object isn't encrypted with a customer managed KMS key, ensure that the bucket's policy allows Macie to access the object. Also verify that the object's ACL allows Macie to read the object's data and metadata.   
For the bucket policy, you can allow this access by adding a condition for the Macie service-linked role to the policy. The condition should exclude the Macie service-linked role from matching the `Deny` restriction in the policy. It can do this by using the `aws:PrincipalArn` global condition context key and the Amazon Resource Name (ARN) of the Macie service-linked role for your account.  
For the object ACL, you can allow this access by working with the object owner to add your AWS account as a grantee with `READ` permissions for the object. Macie can then use the service-linked role for your account to retrieve and analyze the object. Also consider changing the Object Ownership settings for the bucket. You can use these settings to disable ACLs for all the objects in the bucket and grant ownership permissions to the account that owns the bucket.  
If you don't remediate this error, Macie will try to analyze other objects in the S3 bucket. If Macie analyzes another object successfully, Macie will update coverage data and other information that it provides about the bucket.

**Additional reference**  
For more information about allowing Macie to decrypt data with a customer managed AWS KMS key, see [Allowing Macie to use a customer managed AWS KMS key](discovery-supported-encryption-types.md#discovery-supported-encryption-cmk-configuration). For information about updating an S3 bucket policy to allow Macie to access a bucket, see [Allowing Macie to access S3 buckets and objects](monitoring-restrictive-s3-buckets.md).  
For information about updating a key policy, see [Changing a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the *AWS Key Management Service Developer Guide*. For information about using customer managed AWS KMS keys to encrypt S3 objects, see [Using server-side encryption with AWS KMS keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) in the *Amazon Simple Storage Service User Guide*.   
For information about using bucket policies to control access to S3 buckets, see [Access control](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-management.html) and [How Amazon S3 authorizes a request](https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-s3-evaluates-access-control.html) in the *Amazon Simple Storage Service User Guide*. For information about using ACLs or Object Ownership settings to control access to S3 objects, see [Managing access with ACLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acls.html) and [Controlling ownership of objects and disabling ACLs for your bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon Simple Storage Service User Guide*.

## Unclassifiable
<a name="discovery-issues-unclassifiable"></a>

This issue indicates that all the objects in an S3 bucket are stored using unsupported Amazon S3 storage classes or unsupported file or storage formats. Macie can't analyze any objects in the bucket.

**Details**  
To be eligible for selection and analysis, an S3 object must use an Amazon S3 storage class that Macie supports. The object must also have a file name extension for a file or storage format that Macie supports. If an object doesn't meet these criteria, the object is treated as an *unclassifiable object*. Macie doesn't attempt to retrieve or analyze data in unclassifiable objects.  
If all the objects in an S3 bucket are unclassifiable objects, the overall bucket is an *unclassifiable bucket*. Macie can't perform automated sensitive data discovery for the bucket.

**Remediation guidance**  
To address this issue, review lifecycle configuration rules and other settings that determine which storage classes are used to store objects in the S3 bucket. Consider adjusting those settings to use storage classes that Macie supports. You can also change the storage class of existing objects in the bucket.  
Also assess the file and storage formats of existing objects in the S3 bucket. To analyze the objects, consider porting the data, either temporarily or permanently, to new objects that use a supported format.  
If objects are added to the S3 bucket and they use a supported storage class and format, Macie will detect the objects the next time it evaluates your bucket inventory. When this happens, Macie will stop reporting that the bucket is *unclassifiable* in statistics, coverage data, and other information that it provides about your Amazon S3 data. In addition, the new objects will be a higher priority for analysis during a subsequent analysis cycle.

**Additional reference**  
For information about the Amazon S3 storage classes and the file and storage formats that Macie supports, see [Supported storage classes and formats](discovery-supported-storage.md). For information about lifecycle configuration rules and the storage class options that Amazon S3 provides, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) and [Using Amazon S3 storage classes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html) in the *Amazon Simple Storage Service User Guide*. 

# Adjusting sensitivity scores for S3 buckets
<a name="discovery-asdd-s3bucket-manage"></a>

As you review and evaluate statistics, data, and other results of automated sensitive data discovery, there might be cases where you want to fine tune sensitivity assessments of your Amazon Simple Storage Service (Amazon S3) buckets. You might also want to capture the results of investigations that you or your organization performs for specific buckets. If you're the Amazon Macie administrator for an organization or you have a standalone Macie account, you can make these changes by adjusting the sensitivity score and other settings for individual buckets. If you have a member account in an organization, work with your Macie administrator to adjust the settings for buckets that you own. Only the Macie administrator for your organization can adjust these settings for your buckets.

If you're a Macie administrator or you have a standalone Macie account, you can adjust the sensitivity score for an S3 bucket in the following ways:
+ **Assign a sensitivity score** – By default, Macie automatically calculates a bucket's sensitivity score. The score is based primarily on the amount of sensitive data that Macie has found in a bucket, and the amount of data that Macie has analyzed in a bucket. For more information, see [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md).

  You can override a bucket's calculated score and manually assign the maximum score (*100*), which also applies the *Sensitive* label to the bucket. If you do this, Macie stops performing automated sensitive data discovery for the bucket, as buckets with a score of 100 are excluded from further scanning. To calculate the score automatically again and resume scanning, change the setting again.
+ **Exclude or include sensitive data types in the sensitivity score** – If it's calculated automatically, a bucket's sensitivity score is based partly on the amount of sensitive data that Macie has found in the bucket. This derives primarily from the nature and number of sensitive data types that Macie has found, and the number of occurrences of each type. By default, Macie includes occurrences of all types of sensitive data when it calculates a bucket's score.

  You can adjust the calculation by excluding or including specific types of sensitive data in a bucket's score. For example, if Macie detected mailing addresses in a bucket and you determine that this is acceptable, you can exclude all occurrences of mailing addresses from the bucket's score. If you exclude a sensitive data type, Macie continues to inspect the bucket for that type of data, and report occurrences that it finds. However, those occurrences don't affect the bucket's score. To include a sensitive data type in the score again, change the setting again.

You can also exclude an S3 bucket from subsequent analyses. If you exclude a bucket, existing sensitive data discovery statistics and details for the bucket persist. For example, the bucket's current sensitivity score remains unchanged. However, Macie stops analyzing objects in the bucket when it performs automated sensitive data discovery. After you exclude a bucket, you can include it again later.

If you change a setting that affects the sensitivity score for an S3 bucket, Macie immediately begins to recalculate the score. Macie also updates relevant statistics and other information that it provides about the bucket and your Amazon S3 data overall. For example, if you assign the maximum score to a bucket, Macie increments the count of *Sensitive* buckets in aggregated statistics.

**To adjust the sensitivity score or other settings for an S3 bucket**  
To adjust the sensitivity score or other settings for an S3 bucket, you can use the Amazon Macie console or the Amazon Macie API.

------
#### [ Console ]

Follow these steps to adjust the sensitivity score or a setting for an S3 bucket by using the Amazon Macie console.

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **S3 buckets**. The **S3 buckets** page displays your bucket inventory.

   By default, the page doesn't display data for buckets that are currently excluded from analyses. If you're the Macie administrator for an organization, it also doesn't display data for accounts that automated sensitive data discovery is currently disabled for. To display this data, choose **X** in the **Is monitored by automated discovery** filter token below the filter box.

1. Choose the S3 bucket that has a setting to adjust. You can choose the bucket by using the table view (![\[The table view button, which is a button that displays three black horizontal lines.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-s3-table-view.png)) or the interactive map (![\[The map view button, which is a button that displays four black squares.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-s3-map-view.png)).

1. In the details panel, do any of the following:
   + To override the calculated sensitivity score and manually assign a score, turn on **Assign maximum score** (![\[A toggle switch with a gray background and the toggle positioned to the left.\]](http://docs.aws.amazon.com/macie/latest/user/images/tgl-gray-off.png)). This changes the bucket's score to *100* and applies the *Sensitive* label to the bucket.
   + To assign a sensitivity score that Macie calculates automatically, turn off **Assign maximum score** (![\[A toggle switch with a blue background and the toggle positioned to the right.\]](http://docs.aws.amazon.com/macie/latest/user/images/tgl-blue-on.png)).
   + To exclude or include specific types of sensitive data in the sensitivity score, choose the **Sensitivity** tab. In the **Detections** table, select the checkbox for the sensitive data type to exclude or include. Then, on the **Actions** menu, choose **Exclude from score** to exclude the type or choose **Include in score** to include the type.

     In the table, the **Sensitive data type** field specifies the managed data identifier or custom data identifier that detected the data. For a managed data identifier, this is a unique identifier (ID) that describes the type of sensitive data that the identifier is designed to detect—for example, **USA\$1PASSPORT\$1NUMBER** for US passport numbers. For details about each managed data identifier, see [Using managed data identifiers](managed-data-identifiers.md).
   + To exclude the bucket from subsequent analyses, turn on **Exclude from automated discovery** (![\[A toggle switch with a gray background and the toggle positioned to the left.\]](http://docs.aws.amazon.com/macie/latest/user/images/tgl-gray-off.png)).
   + To include the bucket in subsequent analyses, if you previously excluded it, turn off **Exclude from automated discovery** (![\[A toggle switch with a blue background and the toggle positioned to the right.\]](http://docs.aws.amazon.com/macie/latest/user/images/tgl-blue-on.png)).

------
#### [ API ]

To adjust the sensitivity score or a setting for an S3 bucket programmatically, you have several options. The appropriate option depends on what you want to adjust.

**Assign a sensitivity score**  
To assign a sensitivity score to an S3 bucket, use the [UpdateResourceProfile](https://docs.aws.amazon.com/macie/latest/APIReference/resource-profiles.html) operation. In your request, use the `resourceArn` parameter to specify the Amazon Resource Name (ARN) of the bucket. For the `sensitivityScoreOverride` parameter, do one of the following:  
+ To override the calculated score and manually assign the maximum score, specify `100`.
+ To assign a score that Macie calculates automatically, omit the parameter. If this parameter is null, Macie calculates and assigns the score.
If you're using the AWS Command Line Interface (AWS CLI), run the [update-resource-profile](https://docs.aws.amazon.com/cli/latest/reference/macie2/update-resource-profile.html) command to assign a sensitivity score to an S3 bucket. In your request, use the `resource-arn` parameter to specify the ARN of the bucket. Omit or use the `sensitivity-score-override` parameter to specify which score to assign.  
If your request succeeds, Macie assigns the specified score and returns an empty response.

**Exclude or include sensitive data types in the sensitivity score**  
To exclude or include sensitive data types in the sensitivity score for an S3 bucket, use the [UpdateResourceProfileDetections](https://docs.aws.amazon.com/macie/latest/APIReference/resource-profiles-detections.html) operation. When you use this operation, you overwrite the current inclusion and exclusion settings for a bucket's score. Therefore, it's a good idea to first retrieve the current settings and determine which ones you want to keep. To retrieve the current settings, use the [ListResourceProfileDetections](https://docs.aws.amazon.com/macie/latest/APIReference/resource-profiles-detections.html) operation.  
When you're ready to update the settings, use the `resourceArn` parameter to specify the ARN of the S3 bucket. For the `suppressDataIdentifiers` parameter, do one of the following:  
+ To exclude a sensitive data type from the bucket's score, use the `type` parameter to specify the type of data identifier that detected the data, a managed data identifier (`MANAGED`) or a custom data identifier (`CUSTOM`). Use the `id` parameter to specify the unique identifier for the managed or custom data identifier that detected the data.
+ To include a sensitive data type in the bucket's score, don't specify any details for the managed or custom data identifier that detected the data.
+ To include all sensitive data types in the bucket's score, don't specify any values. If the value for the `suppressDataIdentifiers` parameter is null (empty), Macie includes all types of detections when it calculates the score.
If you're using the AWS CLI, run the [update-resource-profile-detections](https://docs.aws.amazon.com/cli/latest/reference/macie2/update-resource-profile-detections.html) command to exclude or include sensitive data types in the sensitivity score for an S3 bucket. Use the `resource-arn` parameter to specify the ARN of the bucket. Use the `suppress-data-identifiers` parameter to specify which sensitive data types to exclude or include in the bucket's score. To first retrieve and review the current settings for the bucket, run the [list-resource-profile-detections](https://docs.aws.amazon.com/cli/latest/reference/macie2/list-resource-profile-detections.html) command.   
If your request succeeds, Macie updates the settings and returns an empty response.

**Exclude or include an S3 bucket in analyses**  
To exclude or subsequently include an S3 bucket in analyses, use the [UpdateClassificationScope](https://docs.aws.amazon.com/macie/latest/APIReference/classification-scopes-id.html) operation. Or, if you're using the AWS CLI, run the [update-classification-scope](https://docs.aws.amazon.com/cli/latest/reference/macie2/update-classification-scope.html) command. For additional details and examples, see [Excluding or including S3 buckets in automated sensitive data discovery](discovery-asdd-account-configure.md#discovery-asdd-account-configure-s3buckets).

The following examples show how to use the AWS CLI to adjust individual settings for an S3 bucket. This first example manually assigns the maximum sensitivity score (`100`) to a bucket. It overrides the bucket's calculated score.

```
$ aws macie2 update-resource-profile --resource-arn arn:aws:s3:::amzn-s3-demo-bucket --sensitivity-score-override 100
```

Where *arn:aws:s3:::amzn-s3-demo-bucket* is the ARN of the S3 bucket.

The next example changes the sensitivity score for an S3 bucket to a score that Macie calculates automatically. The bucket currently has a manually assigned score that overrides the calculated score. This example removes that override by omitting the `sensitivity-score-override` parameter from the request.

```
$ aws macie2 update-resource-profile --resource-arn arn:aws:s3:::amzn-s3-demo-bucket2
```

Where *arn:aws:s3:::amzn-s3-demo-bucket2* is the ARN of the S3 bucket.

The following examples exclude particular types of sensitive data from the sensitivity score for an S3 bucket. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws macie2 update-resource-profile-detections \
--resource-arn arn:aws:s3:::amzn-s3-demo-bucket3 \
--suppress-data-identifiers '[{"type":"MANAGED","id":"ADDRESS"},{"type":"CUSTOM","id":"3293a69d-4a1e-4a07-8715-208ddexample"}]'
```

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

```
C:\> aws macie2 update-resource-profile-detections ^
--resource-arn arn:aws:s3:::amzn-s3-demo-bucket3 ^
--suppress-data-identifiers=[{\"type\":\"MANAGED\",\"id\":\"ADDRESS\"},{\"type\":\"CUSTOM\",\"id\":\"3293a69d-4a1e-4a07-8715-208ddexample\"}]
```

Where:
+ *arn:aws:s3:::amzn-s3-demo-bucket3* is the ARN of the S3 bucket.
+ *ADDRESS* is the unique identifier for the managed data identifier that detected a type of sensitive data to exclude (mailing addresses).
+ *3293a69d-4a1e-4a07-8715-208ddexample* is the unique identifier for the custom data identifier that detected a type of sensitive data to exclude.

This next set of examples later includes all types of sensitive data in the sensitivity score for the S3 bucket. It overwrites the current exclusion settings for the bucket by specifying an empty (null) value for the `suppress-data-identifiers` parameter. For Linux, macOS, or Unix:

```
$ aws macie2 update-resource-profile-detections --resource-arn arn:aws:s3:::amzn-s3-demo-bucket3 --suppress-data-identifiers '[]'
```

For Microsoft Windows:

```
C:\> aws macie2 update-resource-profile-detections --resource-arn arn:aws:s3:::amzn-s3-demo-bucket3 --suppress-data-identifiers=[]
```

Where *arn:aws:s3:::amzn-s3-demo-bucket3* is the ARN of the S3 bucket.

------

# Sensitivity scoring for S3 buckets
<a name="discovery-scoring-s3"></a>

If automated sensitive data discovery is enabled, Amazon Macie automatically calculates and assigns a sensitivity score to each Amazon Simple Storage Service (Amazon S3) general purpose bucket that it monitors and analyzes for an account or organization. A *sensitivity score* is a quantitative representation of the amount of sensitive data that an S3 bucket might contain. Based on that score, Macie also assigns a sensitivity label to each bucket. A *sensitivity label* is a qualitative representation of a bucket's sensitivity score. These values can serve as reference points for determining where sensitive data might reside in your Amazon S3 data estate, and identifying and monitoring potential security risks for that data.

By default, an S3 bucket's sensitivity score and label reflect the results of automated sensitive data discovery activities that Macie has performed thus far for the bucket. They don't reflect the results of sensitive data discovery jobs that you create and run. In addition, neither the score nor the label implies or otherwise indicates the criticality or importance that a bucket or a bucket's objects might have for you or your organization. However, you can override a bucket's calculated score by manually assigning the maximum score (*100*) to the bucket. This also assigns the *Sensitive* label to the bucket. To override a calculated score, you must be the Macie administrator for the account that owns the bucket, or have a standalone Macie account.

**Topics**
+ [Sensitivity scoring dimensions and ranges](#discovery-scoring-s3-dimensions)
+ [Monitoring sensitivity scores](#discovery-scoring-s3-monitoring)

## Sensitivity scoring dimensions and ranges
<a name="discovery-scoring-s3-dimensions"></a>

If it's calculated by Amazon Macie, an S3 bucket's sensitivity score is a quantitative measure of the intersection of two primary dimensions: 
+ The amount of sensitive data that Macie has found in the bucket. This derives primarily from the nature and number of sensitive data types that Macie has found in the bucket, and the number of occurrences of each type.
+ The amount of data that Macie has analyzed in the bucket. This derives primarily from the number of unique objects that Macie has analyzed in the bucket relative to the total number of unique objects in the bucket. 

An S3 bucket's sensitivity score also determines which sensitivity label Macie assigns to the bucket. The sensitivity label is a qualitative representation of the score—for example, *Sensitive* or *Not sensitive*. On the Amazon Macie console, a bucket's sensitivity score also determines which color Macie uses to represent the bucket in data visualizations, as shown in the following image.

![\[The color spectrum for sensitivity scores: blue hues for 1-49, red hues for 51-100, and gray for -1.\]](http://docs.aws.amazon.com/macie/latest/user/images/sensitivity-scoring-spectrum.png)


Sensitivity scores range from *-1* through *100*, as described in the following table. To assess inputs to an S3 bucket's score, you can refer to sensitive data discovery statistics and other details that Macie provides about the bucket. 


| Sensitivity score | Sensitivity label | Additional information | 
| --- | --- | --- | 
| -1 | Classification error |  Macie hasn't successfully analyzed any of the bucket's objects yet due to object-level classification errors—issues with object-level permissions settings, object content, or quotas.  When Macie tried to analyze one or more objects in the bucket, errors occurred. For example, an object is a malformed file, or an object is encrypted with a key that Macie can't access or isn't allowed to use. Coverage data for the bucket can help you investigate and remediate the errors. For more information, see [Assessing automated sensitive data discovery coverage](discovery-coverage.md). Macie will continue to try to analyze objects in the bucket. If Macie analyzes an object successfully, Macie will update the bucket's sensitivity score and label to reflect the results of the analysis.  | 
| 1-49 | Not sensitive |  In this range, a higher score, such as *49*, indicates that Macie has analyzed relatively few objects in the bucket. A lower score, such as *1*, indicates that Macie has analyzed many objects in the bucket (relative to the total number of objects in the bucket) and detected relatively few types and occurrences of sensitive data in those objects. A score of *1* can also indicate that the bucket doesn't store any objects or all the objects in the bucket contain zero (0) bytes of data. Object statistics in the bucket's details can help you determine if this is the case. For more information, see [Reviewing S3 bucket details](discovery-asdd-results-s3-inventory-details.md).  | 
| 50 | Not yet analyzed |  Macie hasn't tried to analyze or analyzed any of the bucket's objects yet. Macie automatically assigns this score when automated discovery is initially enabled or a bucket is added to the bucket inventory for an account. In an organization, a bucket can also have this score if automated discovery has never been enabled for the account that owns the bucket. A score of *50* can also indicate that the bucket's permissions settings prevent Macie from accessing the bucket or the bucket’s objects. This is typically due to a restrictive bucket policy. The bucket's details can help you determine if this is the case because Macie can provide only a subset of information about the bucket. For information about how to address this issue, see [Allowing Macie to access S3 buckets and objects](monitoring-restrictive-s3-buckets.md).  | 
| 51-99 | Sensitive |  In this range, a higher score, such as *99*, indicates that Macie has analyzed many objects in the bucket (relative to the total number of objects in the bucket) and detected many types and occurrences of sensitive data in those objects. A lower score, such as *51*, indicates that Macie has analyzed a moderate number of objects in the bucket (relative to the total number of objects in the bucket) and detected at least a few types and occurrences of sensitive data in those objects.  | 
| 100 | Sensitive |  The score was manually assigned to the bucket, overriding the calculated score. Macie doesn't assign this score to buckets.  | 

## Monitoring sensitivity scores
<a name="discovery-scoring-s3-monitoring"></a>

When automated sensitive data discovery is initially enabled for an account, Amazon Macie automatically assigns a sensitivity score of *50* to each S3 bucket that the account owns. Macie also assigns this score to a bucket when the bucket is added to the bucket inventory for an account. Based on that score, each bucket's sensitivity label is *Not yet analyzed*. The exception is an empty bucket, which is a bucket that doesn't store any objects or all the objects in the bucket contain zero (0) bytes of data. If this is the case for a bucket, Macie assigns a score of *1* to the bucket and the bucket's sensitivity label is *Not sensitive*.

As automated sensitive data discovery progresses each day, Macie updates sensitivity scores and labels for S3 buckets to reflect the results of its analysis. For example:
+ If Macie doesn't find sensitive data in an object, Macie decreases the bucket's sensitivity score and updates the sensitivity label as necessary.
+ If Macie finds sensitive data in an object, Macie increases the bucket's sensitivity score and updates the sensitivity label as necessary.
+ If Macie finds sensitive data in an object that's subsequently changed, Macie removes sensitive data detections for the object from the bucket's sensitivity score and updates the sensitivity label as necessary.
+ If Macie finds sensitive data in an object that's subsequently deleted, Macie removes sensitive data detections for the object from the bucket's sensitivity score and updates the sensitivity label as necessary.
+ If an object is added to a bucket that was previously empty and Macie finds sensitive data in the object, Macie increases the bucket's sensitivity score and updates the sensitivity label as necessary.
+ If a bucket's permissions settings prevent Macie from accessing or retrieving information about the bucket or the bucket’s objects, Macie changes the bucket's sensitivity score to *50* and changes the bucket's sensitivity label to *Not yet analyzed*.

Analysis results can begin to appear within 48 hours of enabling automated sensitive data discovery for an account.

If you're the Macie administrator for an organization or you have a standalone Macie account, you can adjust sensitivity scoring settings for your organization or account:
+ To adjust the settings for subsequent analyses of all S3 buckets, change the settings for your account. You can start including or excluding specific managed data identifiers, custom data identifiers, or allow lists. You can also exclude specific buckets. For more information, see [Configuring automated discovery settings](discovery-asdd-account-configure.md).
+ To adjust the settings for individual S3 buckets, change the settings for each bucket. You can include or exclude specific types of sensitive data from a bucket's score. You can also specify whether to assign an automatically calculated score to a bucket. For more information, see [Adjusting sensitivity scores for S3 buckets](discovery-asdd-s3bucket-manage.md).

If you disable automated sensitive data discovery, the effect varies for existing sensitivity scores and labels. If you disable it for a member account in an organization, existing scores and labels persist for S3 buckets that the account owns. If you disable it for an organization overall or a standalone Macie account, existing scores and labels persist for only 30 days. After 30 days, Macie resets scores and labels for all the buckets that the organization or account owns. If a bucket stores objects, Macie changes the score to *50* and assigns the *Not yet analyzed* label to the bucket. If a bucket is empty, Macie changes the score to *1* and assigns the *Not sensitive* label to the bucket. After this reset, Macie stops updating sensitivity scores and labels for the buckets, unless you enable automated sensitive data discovery for the organization or account again.

# Default settings for automated sensitive data discovery
<a name="discovery-asdd-settings-defaults"></a>

If automated sensitive data discovery is enabled, Amazon Macie automatically selects and analyzes sample objects from all the Amazon Simple Storage Service (Amazon S3) general purpose buckets for your account. If you're the Macie administrator for an organization, by default this includes S3 buckets that your member accounts own. 

If you're a Macie administrator or you have a standalone Macie account, you can refine the scope of the analyses by excluding specific S3 buckets from automated sensitive data discovery. You can do this in two ways: by changing the settings for your account, and by changing the settings for individual buckets. As a Macie administrator, you can also enable or disable automated sensitive data discovery for individual accounts in your organization.

By default, Macie analyzes S3 objects by using only the set of managed data identifiers that we recommend for automated sensitive data discovery. Macie doesn't use any custom data identifiers or allow lists that you defined. If you're a Macie administrator or you have a standalone Macie account, you can customize the analyses by configuring Macie to use specific managed data identifiers, custom data identifiers, and allow lists. You can do this by changing the settings for your account. 

For information about changing your settings, see [Configuring settings for automated sensitive data discovery](discovery-asdd-account-configure.md).

**Topics**
+ [Default managed data identifiers](#discovery-asdd-settings-defaults-mdis)
+ [Updates to the default settings](#discovery-asdd-mdis-default-updates)

## Default managed data identifiers for automated sensitive data discovery
<a name="discovery-asdd-settings-defaults-mdis"></a>

By default, Amazon Macie analyzes S3 objects by using only the set of managed data identifiers that we recommend for automated sensitive data discovery. This default set of managed data identifiers is designed to detect common categories and types of sensitive data. Based on our research, it can detect general categories and types of sensitive data while also optimizing your results by reducing noise.

The default set is dynamic. As we release new managed data identifiers, we add them to the default set if they're likely to further optimize your automated sensitive data discovery results. Over time, we might also add or remove existing managed data identifiers from the set. Removal of a managed data identifier doesn't affect existing sensitive data discovery statistics and details for your S3 buckets. For example, if we remove the managed data identifier for a type of sensitive data that Macie previously detected in a bucket, Macie continues to report those detections. If we add or remove a managed data identifier from the default set, we update this page to indicate the nature and timing of the change. For automatic alerts about these changes, you can subscribe to the RSS feed on the [Macie document history](doc-history.md) page.

The following topics list the managed data identifiers that are currently in the default set, organized by sensitive data category and type. They specify the unique identifier (ID) for each managed data identifier in the set. This ID describes the type of sensitive data that a managed data identifier is designed to detect, for example: `PGP_PRIVATE_KEY` for PGP private keys and `USA_PASSPORT_NUMBER` for US passport numbers. If you change your settings for automated sensitive data discovery, you can use this ID to explicitly exclude a managed data identifier from subsequent analyses.

**Topics**
+ [Credentials](#discovery-asdd-settings-defaults-mdis-credentials)
+ [Financial information](#discovery-asdd-settings-defaults-mdis-financial)
+ [Personally identifiable information (PII)](#discovery-asdd-settings-defaults-mdis-pii)

 For details about specific managed data identifiers or a complete list of all the managed data identifiers that Macie currently provides, see [Using managed data identifiers](managed-data-identifiers.md).

### Credentials
<a name="discovery-asdd-settings-defaults-mdis-credentials"></a>

To detect occurrences of credentials data in S3 objects, Macie uses the following managed data identifiers by default.


| Sensitive data type | Managed data identifier ID | 
| --- | --- | 
| AWS secret access key | AWS\$1CREDENTIALS | 
| HTTP Basic Authorization header | HTTP\$1BASIC\$1AUTH\$1HEADER | 
| OpenSSH private key | OPENSSH\$1PRIVATE\$1KEY | 
| PGP private key | PGP\$1PRIVATE\$1KEY | 
| Public Key Cryptography Standard (PKCS) private key | PKCS | 
| PuTTY private key | PUTTY\$1PRIVATE\$1KEY | 

### Financial information
<a name="discovery-asdd-settings-defaults-mdis-financial"></a>

To detect occurrences of financial information in S3 objects, Macie uses the following managed data identifiers by default.


| Sensitive data type | Managed data identifier ID | 
| --- | --- | 
| Credit card magnetic stripe data | CREDIT\$1CARD\$1MAGNETIC\$1STRIPE | 
| Credit card number | CREDIT\$1CARD\$1NUMBER (for credit card numbers in proximity of a keyword) | 

### Personally identifiable information (PII)
<a name="discovery-asdd-settings-defaults-mdis-pii"></a>

To detect occurrences of personally identifiable information (PII) in S3 objects, Macie uses the following managed data identifiers by default.


| Sensitive data type | Managed data identifier ID | 
| --- | --- | 
| Driver’s license identification number | CANADA\$1DRIVERS\$1LICENSE, DRIVERS\$1LICENSE (for the US),  UK\$1DRIVERS\$1LICENSE | 
| Electoral roll number | UK\$1ELECTORAL\$1ROLL\$1NUMBER | 
| National identification number | FRANCE\$1NATIONAL\$1IDENTIFICATION\$1NUMBER, GERMANY\$1NATIONAL\$1IDENTIFICATION\$1NUMBER, ITALY\$1NATIONAL\$1IDENTIFICATION\$1NUMBER, SPAIN\$1DNI\$1NUMBER | 
| National Insurance Number (NINO) | UK\$1NATIONAL\$1INSURANCE\$1NUMBER | 
| Passport number | CANADA\$1PASSPORT\$1NUMBER, FRANCE\$1PASSPORT\$1NUMBER, GERMANY\$1PASSPORT\$1NUMBER, ITALY\$1PASSPORT\$1NUMBER, SPAIN\$1PASSPORT\$1NUMBER, UK\$1PASSPORT\$1NUMBER, USA\$1PASSPORT\$1NUMBER | 
| Social Insurance Number (SIN) | CANADA\$1SOCIAL\$1INSURANCE\$1NUMBER | 
| Social Security number (SSN) | SPAIN\$1SOCIAL\$1SECURITY\$1NUMBER, USA\$1SOCIAL\$1SECURITY\$1NUMBER | 
| Taxpayer identification or reference number | AUSTRALIA\$1TAX\$1FILE\$1NUMBER, BRAZIL\$1CPF\$1NUMBER, FRANCE\$1TAX\$1IDENTIFICATION\$1NUMBER, GERMANY\$1TAX\$1IDENTIFICATION\$1NUMBER, SPAIN\$1NIE\$1NUMBER, SPAIN\$1NIF\$1NUMBER, SPAIN\$1TAX\$1IDENTIFICATION\$1NUMBER, USA\$1INDIVIDUAL\$1TAX\$1IDENTIFICATION\$1NUMBER | 

## Updates to the default settings for automated sensitive data discovery
<a name="discovery-asdd-mdis-default-updates"></a>

The following table describes changes to the settings that Amazon Macie uses by default for automated sensitive data discovery. For automatic alerts about these changes, subscribe to the RSS feed on the [Macie document history](doc-history.md) page.


| Change | Description | Date | 
| --- | --- | --- | 
|  Implemented a new, dynamic set of default managed data identifiers  |  New automated sensitive data discovery configurations are now based on a dynamic [default set of managed data identifiers](#discovery-asdd-settings-defaults-mdis). If you enable automated sensitive data discovery for the first time on or after this date, your configuration is based on the dynamic set. If you enabled automated sensitive data discovery for the first time before this date, your configuration is based on a different set of managed data identifiers. For more information, see the notes after this table.  | August 2, 2023 | 
|  General availability  |  Initial release of automated sensitive data discovery.  |  November 28, 2022  | 

If you initially enabled automated sensitive data discovery prior to August 2, 2023, your configuration isn't based on the dynamic set of default managed data identifiers. Instead, it's based on a static set of managed data identifiers that we defined for the initial release of automated sensitive data discovery, as listed in the table below.

To determine when you initially enabled automated sensitive data discovery you can use the Amazon Macie console: choose **Automated sensitive data discovery** in the navigation pane, and then refer to the enabled date in the **Status** section. You can also do this programmatically: use the [GetAutomatedDiscoveryConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/automated-discovery-configuration.html) operation of the Amazon Macie API and refer to the value for the `firstEnabledAt` field. If the date is prior to August 2, 2023, and you want to start using the dynamic set of default managed data identifiers, contact AWS Support for assistance.

The following table lists all the managed data identifiers that are in the static set. The table is sorted first by sensitive data category and then by sensitive data type. For details about specific managed data identifiers, see [Using managed data identifiers](managed-data-identifiers.md).


| Sensitive data category | Sensitive data type | Managed data identifier ID | 
| --- | --- | --- | 
| Credentials | AWS secret access key | AWS\$1CREDENTIALS | 
| Credentials | HTTP Basic Authorization header | HTTP\$1BASIC\$1AUTH\$1HEADER | 
| Credentials | OpenSSH private key | OPENSSH\$1PRIVATE\$1KEY | 
| Credentials | PGP private key | PGP\$1PRIVATE\$1KEY | 
| Credentials | Public Key Cryptography Standard (PKCS) private key | PKCS | 
| Credentials | PuTTY private key | PUTTY\$1PRIVATE\$1KEY | 
| Financial information | Bank account number | BANK\$1ACCOUNT\$1NUMBER (for Canadian and US bank account numbers), FRANCE\$1BANK\$1ACCOUNT\$1NUMBER, GERMANY\$1BANK\$1ACCOUNT\$1NUMBER, ITALY\$1BANK\$1ACCOUNT\$1NUMBER, SPAIN\$1BANK\$1ACCOUNT\$1NUMBER, UK\$1BANK\$1ACCOUNT\$1NUMBER | 
| Financial information | Credit card expiration date | CREDIT\$1CARD\$1EXPIRATION | 
| Financial information | Credit card magnetic stripe data | CREDIT\$1CARD\$1MAGNETIC\$1STRIPE | 
| Financial information | Credit card number | CREDIT\$1CARD\$1NUMBER (for credit card numbers in proximity of a keyword) | 
| Financial information | Credit card verification code | CREDIT\$1CARD\$1SECURITY\$1CODE | 
| Personal information: Personal health information (PHI) | Drug Enforcement Agency (DEA) Registration Number | US\$1DRUG\$1ENFORCEMENT\$1AGENCY\$1NUMBER | 
| Personal information: PHI | Health Insurance Claim Number (HICN) | USA\$1HEALTH\$1INSURANCE\$1CLAIM\$1NUMBER | 
| Personal information: PHI | Health insurance or medical identification number | CANADA\$1HEALTH\$1NUMBER, EUROPEAN\$1HEALTH\$1INSURANCE\$1CARD\$1NUMBER, FINLAND\$1EUROPEAN\$1HEALTH\$1INSURANCE\$1NUMBER, FRANCE\$1HEALTH\$1INSURANCE\$1NUMBER, UK\$1NHS\$1NUMBER, USA\$1MEDICARE\$1BENEFICIARY\$1IDENTIFIER | 
| Personal information: PHI | Healthcare Common Procedure Coding System (HCPCS) code | USA\$1HEALTHCARE\$1PROCEDURE\$1CODE | 
| Personal information: PHI | National Drug Code (NDC) | USA\$1NATIONAL\$1DRUG\$1CODE | 
| Personal information: PHI | National Provider Identifier (NPI) | USA\$1NATIONAL\$1PROVIDER\$1IDENTIFIER | 
| Personal information: PHI | Unique device identifier (UDI) | MEDICAL\$1DEVICE\$1UDI | 
| Personal information: Personally identifiable information (PII) | Birth date | DATE\$1OF\$1BIRTH | 
| Personal information: PII | Driver’s license identification number | AUSTRALIA\$1DRIVERS\$1LICENSE, AUSTRIA\$1DRIVERS\$1LICENSE, BELGIUM\$1DRIVERS\$1LICENSE, BULGARIA\$1DRIVERS\$1LICENSE, CANADA\$1DRIVERS\$1LICENSE, CROATIA\$1DRIVERS\$1LICENSE, CYPRUS\$1DRIVERS\$1LICENSE, CZECHIA\$1DRIVERS\$1LICENSE, DENMARK\$1DRIVERS\$1LICENSE, DRIVERS\$1LICENSE (for the US), ESTONIA\$1DRIVERS\$1LICENSE, FINLAND\$1DRIVERS\$1LICENSE, FRANCE\$1DRIVERS\$1LICENSE, GERMANY\$1DRIVERS\$1LICENSE, GREECE\$1DRIVERS\$1LICENSE, HUNGARY\$1DRIVERS\$1LICENSE, IRELAND\$1DRIVERS\$1LICENSE, ITALY\$1DRIVERS\$1LICENSE, LATVIA\$1DRIVERS\$1LICENSE, LITHUANIA\$1DRIVERS\$1LICENSE, LUXEMBOURG\$1DRIVERS\$1LICENSE, MALTA\$1DRIVERS\$1LICENSE, NETHERLANDS\$1DRIVERS\$1LICENSE, POLAND\$1DRIVERS\$1LICENSE, PORTUGAL\$1DRIVERS\$1LICENSE, ROMANIA\$1DRIVERS\$1LICENSE, SLOVAKIA\$1DRIVERS\$1LICENSE, SLOVENIA\$1DRIVERS\$1LICENSE, SPAIN\$1DRIVERS\$1LICENSE, SWEDEN\$1DRIVERS\$1LICENSE, UK\$1DRIVERS\$1LICENSE | 
| Personal information: PII | Electoral roll number | UK\$1ELECTORAL\$1ROLL\$1NUMBER | 
| Personal information: PII | Full name | NAME | 
| Personal information: PII | Global Positioning System (GPS) coordinates | LATITUDE\$1LONGITUDE | 
| Personal information: PII | Mailing address | ADDRESS, BRAZIL\$1CEP\$1CODE | 
| Personal information: PII | National identification number | BRAZIL\$1RG\$1NUMBER, FRANCE\$1NATIONAL\$1IDENTIFICATION\$1NUMBER, GERMANY\$1NATIONAL\$1IDENTIFICATION\$1NUMBER, ITALY\$1NATIONAL\$1IDENTIFICATION\$1NUMBER, SPAIN\$1DNI\$1NUMBER | 
| Personal information: PII | National Insurance Number (NINO) | UK\$1NATIONAL\$1INSURANCE\$1NUMBER | 
| Personal information: PII | Passport number | CANADA\$1PASSPORT\$1NUMBER, FRANCE\$1PASSPORT\$1NUMBER, GERMANY\$1PASSPORT\$1NUMBER, ITALY\$1PASSPORT\$1NUMBER, SPAIN\$1PASSPORT\$1NUMBER, UK\$1PASSPORT\$1NUMBER, USA\$1PASSPORT\$1NUMBER | 
| Personal information: PII | Permanent residence number | CANADA\$1NATIONAL\$1IDENTIFICATION\$1NUMBER | 
| Personal information: PII | Phone number | BRAZIL\$1PHONE\$1NUMBER, FRANCE\$1PHONE\$1NUMBER, GERMANY\$1PHONE\$1NUMBER, ITALY\$1PHONE\$1NUMBER, PHONE\$1NUMBER (for Canada and the US), SPAIN\$1PHONE\$1NUMBER, UK\$1PHONE\$1NUMBER | 
| Personal information: PII | Social Insurance Number (SIN) | CANADA\$1SOCIAL\$1INSURANCE\$1NUMBER | 
| Personal information: PII | Social Security number (SSN) | SPAIN\$1SOCIAL\$1SECURITY\$1NUMBER, USA\$1SOCIAL\$1SECURITY\$1NUMBER | 
| Personal information: PII | Taxpayer identification or reference number | AUSTRALIA\$1TAX\$1FILE\$1NUMBER, BRAZIL\$1CNPJ\$1NUMBER, BRAZIL\$1CPF\$1NUMBER, FRANCE\$1TAX\$1IDENTIFICATION\$1NUMBER, GERMANY\$1TAX\$1IDENTIFICATION\$1NUMBER, SPAIN\$1NIE\$1NUMBER, SPAIN\$1NIF\$1NUMBER, SPAIN\$1TAX\$1IDENTIFICATION\$1NUMBER, UK\$1TAX\$1IDENTIFICATION\$1NUMBER, USA\$1INDIVIDUAL\$1TAX\$1IDENTIFICATION\$1NUMBER | 
| Personal information: PII | Vehicle identification number (VIN) | VEHICLE\$1IDENTIFICATION\$1NUMBER |