# Monitoring data security and privacy with Macie
Monitoring data security and privacy

When you enable Amazon Macie for your AWS account, Macie automatically generates and begins maintaining an inventory of your Amazon Simple Storage Service (Amazon S3) general purpose buckets in the current AWS Region. Macie also begins evaluating and monitoring the buckets for security and access control. If Macie detects an event that reduces the security or privacy of a bucket, Macie creates a [policy finding](findings-types.md#findings-policy-types) for you to review and remediate as necessary.

To also evaluate and monitor the S3 buckets for the presence of sensitive data, you can create and run sensitive data discovery jobs. Sensitive data discovery jobs can perform incremental analysis of bucket objects on a daily, weekly, or monthly basis. If Macie detects sensitive data in an S3 object, Macie creates a [sensitive data finding](findings-types.md#findings-sensitive-data-types) to notify you of the sensitive data that it found. Depending on your account settings, you can also configure Macie to perform automated sensitive data discovery. Automated sensitive data discovery uses sampling techniques to continually identify, select, and analyze representative objects in your buckets. For more information about both options, see [Discovering sensitive data](data-classification.md).

Macie also provides constant visibility into the security and privacy of your Amazon S3 data. To assess the security posture of your data and determine where to take action, you can use the **Summary** dashboard on the console. The dashboard provides a snapshot of aggregated statistics for your Amazon S3 data. The statistics include data for key security metrics such as the number of general purpose buckets that are publicly accessible or shared with other AWS accounts. The dashboard also displays groups of aggregated findings data for your account—for example, the names of 1–5 buckets that have the most findings for the preceding seven days. You can drill down on each statistic to review its supporting data. To query the statistics programmatically, use the [GetBucketStatistics](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3-statistics.html) operation of the Amazon Macie API.

For deeper analysis and evaluation, Macie provides detailed information and statistics for individual S3 buckets in your inventory. This includes breakdowns of each bucket’s public access and encryption settings, and the size and number of objects that Macie can analyze to detect sensitive data in the bucket. The inventory also indicates whether you configured sensitive data discovery jobs or automated sensitive data discovery to analyze objects in a bucket. If you have, it indicates when that analysis most recently occurred. You can browse, sort, and filter the inventory by using the Amazon Macie console or the [DescribeBuckets](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) operation of the Amazon Macie API.

If you're the Macie administrator for an organization, you can access statistical and other data about S3 buckets that your member accounts own. You can also access policy findings that Macie generates for the buckets, and inspect the buckets for sensitive data. This means that you can use Macie to assess and monitor the overall security posture of your organization’s Amazon S3 data estate. For more information, see [Managing multiple accounts](macie-accounts.md).

**Topics**
+ [

# How Macie monitors Amazon S3 data security
](monitoring-s3-how-it-works.md)
+ [

# Assessing your Amazon S3 security posture with Macie
](monitoring-s3-dashboard.md)
+ [

# Analyzing your Amazon S3 security posture with Macie
](monitoring-s3-inventory.md)
+ [

# Allowing Macie to access S3 buckets and objects
](monitoring-restrictive-s3-buckets.md)

# How Macie monitors Amazon S3 data security
How Macie monitors Amazon S3 data security

When you enable Amazon Macie for your AWS account, Macie creates an AWS Identity and Access Management (IAM) [service-linked role](service-linked-roles.md) for your account in the current AWS Region. The permissions policy for this role allows Macie to call other AWS services and monitor AWS resources on your behalf. By using this role, Macie generates and maintains an inventory of your Amazon Simple Storage Service (Amazon S3) general purpose buckets in the Region. Macie also monitors and evaluates the buckets for security and access control.

If you're the Macie administrator for an organization, the inventory includes statistical and other data about S3 buckets for your account and member accounts in your organization. With this data, you can use Macie to monitor and evaluate your organization’s security posture across your Amazon S3 data estate. For more information, see [Managing multiple accounts](macie-accounts.md).

**Topics**
+ [Key components](#monitoring-s3-how-it-works-components)
+ [Data refreshes](#monitoring-s3-how-it-works-data-refresh)
+ [Considerations](#monitoring-s3-how-it-works-considerations)

## Key components
Key components

Amazon Macie uses a combination of features and techniques to provide and maintain inventory data for your S3 general purpose buckets, and to monitor and evaluate the buckets for security and access control.

**Gathering metadata and calculating statistics**  
To generate and maintain metadata and statistics for your bucket inventory, Macie retrieves bucket and object metadata directly from Amazon S3. For each bucket, the metadata includes:  
+ General information about the bucket, such as the bucket’s name, Amazon Resource Name (ARN), creation date, encryption settings, tags, and the account ID for the AWS account that owns the bucket.
+ Account-level permissions settings that apply to the bucket, such as the block public access settings for the account.
+ Bucket-level permissions settings for the bucket, such as the block public access settings for the bucket and settings that derive from a bucket policy or access control list (ACL).
+ Shared access and replication settings for the bucket, including whether bucket data is replicated to or shared with AWS accounts that aren’t part of your organization.
+ Object counts and settings for objects in the bucket, such as the number of objects in the bucket and breakdowns of object counts by encryption type, file type, and storage class.
Macie provides this information to you directly. Macie also uses the information to calculate statistics and provide assessments of the security and privacy of your bucket inventory overall and individual buckets in your inventory. For example, you can find the total storage size and number of buckets in your inventory, the total storage size and number of objects in those buckets, and the total storage size and number of objects that Macie can analyze to detect sensitive data in the buckets.  
By default, metadata and statistics include data for any object parts that exist due to incomplete multipart uploads. If you manually refresh object metadata for a specific bucket, Macie recalculates statistics for the bucket and your bucket inventory overall, and excludes data for object parts from the recalculated values. The next time Macie retrieves bucket and object metadata from Amazon S3 as part of the daily refresh cycle, Macie updates your inventory data and includes data for the object parts again. For information about when Macie retrieves bucket and object metadata, see [Data refreshes](#monitoring-s3-how-it-works-data-refresh).  
It's important to note that Macie can’t analyze object parts to detect sensitive data. Amazon S3 must first finish assembling the parts into one or more objects for Macie to analyze. For information about multipart uploads and object parts, including how to delete parts automatically with lifecycle rules, see [Uploading and copying objects using multipart upload](https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html) in the *Amazon Simple Storage Service User Guide*. To identify buckets that contain object parts, you can refer to *incomplete multipart upload* metrics in Amazon S3 Storage Lens. For more information, see [Assessing your storage activity and usage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens.html) in the *Amazon Simple Storage Service User Guide*.

**Monitoring bucket security and privacy**  
To help ensure the accuracy of bucket-level data in your inventory, Macie monitors and analyzes certain [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) events that can occur for Amazon S3 data. If a relevant event occurs, Macie updates the appropriate inventory data.  
For example, if you enable block public access settings for a bucket, Macie updates all data about the bucket’s public access settings. Similarly, if you add or update the bucket policy for a bucket, Macie analyzes the policy and updates the appropriate data in your inventory.  
If Macie determines that an event reduces the security or privacy of a bucket, Macie also creates a [policy finding](findings-types.md#findings-policy-types) for you to review and remediate as necessary.  
Macie monitors and analyzes data for the following CloudTrail events:  
+ **Account-level events** – DeletePublicAccessBlock and PutPublicAccessBlock
+ **Bucket-level events** – CreateBucket, DeleteAccountPublicAccessBlock, DeleteBucket, DeleteBucketEncryption, DeleteBucketPolicy, DeleteBucketPublicAccessBlock, DeleteBucketReplication, DeleteBucketTagging, PutAccountPublicAccessBlock, PutBucketAcl, PutBucketEncryption, PutBucketPolicy, PutBucketPublicAccessBlock, PutBucketReplication, PutBucketTagging, and PutBucketVersioning
You can't enable monitoring for additional CloudTrail events or disable monitoring for any of the preceding events. For detailed information about corresponding operations for the preceding events, see the [Amazon Simple Storage Service API Reference](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_Simple_Storage_Service.html).  
To monitor object-level events, we recommend that you use the Amazon S3 protection feature of Amazon GuardDuty. This feature monitors object-level, Amazon S3 data events and analyzes them for malicious and suspicious activity. For more information, see [GuardDuty S3 Protection](https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html) in the *Amazon GuardDuty User Guide*.

**Evaluating bucket security and access control**  
To evaluate bucket-level security and access control, Macie uses automated, logic-based reasoning to analyze resource-based policies that apply to a bucket. Macie also analyzes the account- and bucket-level permissions settings that apply to a bucket. This analysis factors bucket policies, bucket-level ACLs, and block public access settings for the account and the bucket.  
For resource-based policies, Macie uses [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/). Zelkova is an automated reasoning engine that translates AWS Identity and Access Management (IAM) policies into logical statements and runs a suite of general-purpose and specialized logical solvers (*satisfiability modulo theories*) against the decision problem. To learn more about the nature of the solvers that Zelkova uses, see [Satisfiability Modulo Theories](https://people.eecs.berkeley.edu/~sseshia/pubdir/SMT-BookChapter.pdf).  
Macie applies Zelkova repeatedly to a resource-based policy, using increasingly specific queries to characterize the classes of behaviors that the policy allows. The analysis is designed to identify potential security risks for your Amazon S3 data and minimize false negatives. It doesn’t include AWS Organizations authorization policies that define the maximum available permissions for your organization’s resources, such as service control policies (SCPs) or resource control policies (RCPs). It also doesn’t include key policies for associated AWS KMS keys. For example, if a bucket policy uses the [s3:x-amz-server-side-encryption-aws-kms-key-id](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-policy-keys) condition key to restrict write access to the bucket, Macie doesn't analyze the key policy for the specified key. This means that Macie might report that the bucket is publicly accessible, depending on other components of the bucket policy and Amazon S3 permissions settings that apply to the bucket.  
In addition, when Macie assesses the security and privacy of a bucket, it doesn’t examine access logs or analyze users, roles, and other relevant configurations for accounts. Instead, Macie analyzes and reports data for key settings that indicate *potential* security risks. For example, if a policy finding indicates that a bucket is publicly accessible, it doesn’t necessarily mean that an external entity accessed the bucket. Similarly, if a policy finding indicates that a bucket is shared with an AWS account outside your organization, Macie doesn’t attempt to determine whether this access is intended and safe. Instead, these findings indicate that an external entity can potentially access the bucket's data, which may be an unintended security risk.  
If Macie reports that an external entity can potentially access an S3 bucket, we recommend that you review the bucket’s policy and settings to determine whether this access is intended and safe. If applicable, also review policies and settings for associated resources, such as AWS KMS keys, and AWS Organizations authorization policies for your organization.

**Important**  
To perform the preceding tasks for a bucket, the bucket must be an S3 general purpose bucket. Macie doesn't monitor or analyze S3 directory buckets.  
In addition, Macie must be allowed to access the bucket. If a bucket's permissions settings prevent Macie from retrieving metadata for the bucket or the bucket's objects, Macie can only provide a subset of information about the bucket, such as the bucket's name and creation date. Macie can't perform any additional tasks for the bucket. For more information, see [Allowing Macie to access S3 buckets and objects](monitoring-restrictive-s3-buckets.md).  
Macie can perform the preceding tasks for up to 10,000 buckets for an account. If you store more than 10,000 buckets in Amazon S3, Macie performs these tasks only for the 10,000 buckets that were most recently created or changed. For all other buckets, Macie doesn't maintain complete inventory data, evaluate or monitor the security and privacy of the buckets' data, or generate policy findings. Instead, Macie only provides a subset of information about the buckets.

## Data refreshes
Data refreshes

When you enable Amazon Macie for your AWS account, Macie retrieves metadata for your S3 general purpose buckets and objects directly from Amazon S3. Thereafter, Macie automatically retrieves bucket and object metadata directly from Amazon S3 on a daily basis as part of a daily refresh cycle.

Macie also retrieves bucket metadata directly from Amazon S3 when any of the following occurs:
+ Macie detects a relevant AWS CloudTrail event.
+ You refresh your inventory data by choosing refresh (![\[The refresh button, which is a button that displays an empty blue circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-data.png)) on the Amazon Macie console. Depending on the size of your data estate, you can refresh the data as frequently as every five minutes.
+ You submit a [DescribeBuckets](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) request to the Amazon Macie API programmatically and Macie has finished processing any preceding **DescribeBuckets** requests.

Macie can also retrieve the latest object metadata for a specific bucket if you choose to manually refresh that data. This can be helpful if you recently created a bucket or made significant changes to a bucket's objects during the past 24 hours. To manually refresh object metadata for a bucket, choose refresh (![\[The refresh button, which is a button that displays an empty, dark gray circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-object-data.png)) in the **Object statistics** section of the [bucket details panel](monitoring-s3-inventory-review.md#monitoring-s3-inventory-view-details) on the **S3 buckets** page of the console. This feature is available for buckets that store 30,000 or fewer objects.

To determine when Macie most recently retrieved bucket or object metadata for your account, you can refer to the **Last updated** field on the console. This field appears on the **Summary** dashboard, on the **S3 buckets** page, and in the [bucket details panel](monitoring-s3-inventory-review.md#monitoring-s3-inventory-view-details) on the **S3 buckets** page. If you use the Amazon Macie API to query inventory data, the `lastUpdated` field provides this information. If you're the Macie administrator for an organization, the field indicates the earliest date and time when Macie retrieved the data for an account in your organization.

Each time Macie retrieves bucket or object metadata, Macie automatically updates the appropriate data in your inventory. If Macie detects differences that affect the security or privacy of a bucket, Macie immediately begins evaluating and analyzing the changes. When the analysis is complete, Macie updates the appropriate data in your inventory. If any differences reduce the security or privacy of a bucket, Macie also creates the appropriate [policy findings](findings-types.md#findings-policy-types) for you to review and remediate as necessary. Macie does this for as many as 10,000 buckets for your account. If you have more than 10,000 buckets, Macie does this for the 10,000 buckets that were most recently created or changed. If you're the Macie administrator for an organization, this quota applies to each account in your organization, not your organization overall.

On rare occasions under certain conditions, latency and other issues might prevent Macie from retrieving bucket and object metadata. They might also delay notifications that Macie receives about changes to your bucket inventory or the permissions settings and policies for individual buckets. For example, delivery issues with CloudTrail events might cause delays. If this happens, Macie analyzes new and updated data the next time it performs the daily refresh, which is within 24 hours.

## Considerations
Considerations

As you use Amazon Macie to monitor and assess the security posture of your Amazon S3 data, keep the following in mind:
+ Inventory data applies only to S3 general purpose buckets in the current AWS Region. To access the data for additional Regions, enable and use Macie in each additional Region.
+ If you're the Macie administrator for an organization, you can access inventory data for a member account only if Macie is enabled for that account in the current Region.
+ Macie can provide complete inventory data for no more than 10,000 buckets for an account. In addition, Macie can evaluate and monitor the security and privacy of no more than 10,000 buckets for an account. If your account exceeds this quota, Macie evaluates, monitors, and provides detailed information about the 10,000 buckets that were most recently created or changed. For all other buckets, Macie only provides a subset of information about the buckets.

  If your account approaches this quota, we notify you by creating an AWS Health event for your account. We also send email to the address that’s associated with your account. We notify you again if your account exceeds the quota. If you're a Macie administrator, this quota applies to each account in your organization, not your organization overall.
+ If a bucket's permissions settings prevent Macie from retrieving information about the bucket or the bucket’s objects, Macie can't evaluate and monitor the security and privacy of the bucket's data or provide detailed information about the bucket. To help you identify a bucket where this is the case, Macie does the following:
  + In your bucket inventory on the console, Macie displays a warning icon (![\[The warning icon, which is a red triangle that has an exclamation point in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-warning-red.png)) for the bucket.
  + For the bucket's details, Macie provides data for only a subset of fields: the account ID for the AWS account that owns the bucket; the bucket's name, Amazon Resource Name (ARN), creation date, and Region; and, the date and time when Macie most recently retrieved both bucket and object metadata for the bucket as part of the daily refresh cycle. If you query inventory data programmatically with the Amazon Macie API, Macie also provides an error code and message for the bucket.
  + In the **Summary** dashboard on the console, the bucket has a value of **Unknown** for **Public access**, **Encryption**, and **Sharing** statistics. In addition, Macie excludes the bucket when it calculates data for **Storage** and **Objects** statistics.
  + If you query aggregated statistics programmatically by using the [GetBucketStatistics](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3-statistics.html) operation, the bucket has a value of `unknown` for many statistics and Macie excludes the bucket when it calculates object counts and storage size values.

  To investigate the issue, review the bucket’s policy and permissions settings in Amazon S3. For example, the bucket might have a restrictive bucket policy. For more information, see [Allowing Macie to access S3 buckets and objects](monitoring-restrictive-s3-buckets.md).
+ Data about access and permissions is limited to account- and bucket-level settings. It doesn’t reflect object-level settings that determine access to specific objects in a bucket. For example, if public access is enabled for a specific object in a bucket, Macie doesn’t report that the bucket or the bucket’s objects are publicly accessible.

  To monitor object-level operations and identify potential security risks, we recommend that you use the Amazon S3 protection feature of Amazon GuardDuty. This feature monitors object-level, Amazon S3 data events and analyzes them for malicious and suspicious activity. For more information, see [GuardDuty S3 Protection](https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html) in the *Amazon GuardDuty User Guide*.
+ If you manually refresh object metadata for a specific bucket:
  + Macie temporarily reports *Unknown* for encryption statistics that apply to the objects. The next time Macie performs the daily data refresh (within 24 hours), Macie re-evaluates the encryption metadata for the objects and reports quantitative data for the statistics again.
  + Macie temporarily excludes data for any object parts that the bucket contains due to incomplete multipart uploads. The next time Macie performs the daily data refresh (within 24 hours), Macie recalculates counts and storage size values for the bucket’s objects and includes data for the parts in those calculations.
+ In certain cases, Macie might not be able to determine whether a bucket is publicly accessible or shared, or requires server-side encryption of new objects. For example, a quota or temporary issue might prevent Macie from retrieving and analyzing the requisite data. Or Macie might not be able to fully determine whether one or more policy statements grant access to an external entity. In these cases, Macie reports *Unknown* for the relevant statistics and fields in your bucket inventory. To investigate these cases, review the bucket’s policy and permissions settings in Amazon S3.

Also note that Macie generates policy findings only if the security or privacy of a bucket is reduced after you enable Macie for your account. For example, if you disable block public access settings for a bucket after you enable Macie, Macie generates a **Policy:IAMUser/S3BlockPublicAccessDisabled** finding for the bucket. However, if block public access settings were disabled for a bucket when you enabled Macie and they continue to be disabled, Macie doesn't generate a **Policy:IAMUser/S3BlockPublicAccessDisabled** finding for the bucket.

# Assessing your Amazon S3 security posture with Macie
Assessing your Amazon S3 security posture

To assess the overall security posture of your Amazon Simple Storage Service (Amazon S3) data and determine where to take action, you can use the **Summary** dashboard on the Amazon Macie console.

The **Summary** dashboard provides a snapshot of aggregated statistics for your Amazon S3 data in the current AWS Region. The statistics include data for key security metrics such as the number of general purpose buckets that are publicly accessible or shared with other AWS accounts. The dashboard also displays groups of aggregated findings data for your account—for example, the types of findings that had the highest number of occurrences during the preceding seven days. If you're the Macie administrator for an organization, the dashboard provides aggregated statistics and data for all the accounts in your organization. You can optionally filter the data by account.

To perform deeper analysis, you can drill down and review the supporting data for individual items on the dashboard. You can also [review and analyze your S3 bucket inventory](monitoring-s3-inventory.md) by using the Amazon Macie console, or query and analyze inventory data programmatically by using the [DescribeBuckets](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) operation of the Amazon Macie API.

**Topics**
+ [Displaying the dashboard](#monitoring-s3-dashboard-view)
+ [Understanding dashboard components](#monitoring-s3-dashboard-components-main)
+ [Understanding data security statistics on the dashboard](#monitoring-s3-dashboard-statistics-s3)

## Displaying the Summary dashboard
Displaying the dashboard

On the Amazon Macie console, the **Summary** dashboard provides a snapshot of aggregated statistics and findings data for your Amazon S3 data in the current AWS Region. If you prefer to query the statistics programmatically, you can use the [GetBucketStatistics](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3-statistics.html) operation of the Amazon Macie API.

**To display the Summary dashboard**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **Summary**. Macie displays the **Summary** dashboard.

1. To determine when Macie most recently retrieved bucket or object metadata from Amazon S3 for your account, refer to the **Last updated** field at the top of the dashboard. For more information, see [Data refreshes](monitoring-s3-how-it-works.md#monitoring-s3-how-it-works-data-refresh).

1. To drill down and review the supporting data for an item on the dashboard, choose the item.

If you're the Macie administrator for an organization, the dashboard displays aggregated statistics and data for your account and member accounts in your organization. To filter the dashboard and display data only for a particular account, enter the account's ID in the **Account** box above the dashboard.

## Understanding components of the Summary dashboard
Understanding dashboard components

On the **Summary** dashboard, statistics and data are organized into several sections. At the top of the dashboard, you'll find aggregated statistics that indicate how much data you store in Amazon S3, and how much of that data Amazon Macie can analyze to detect sensitive data. You can also refer to the **Last updated** field to determine when Macie most recently retrieved bucket or object metadata from Amazon S3 for your account. Additional sections provide statistics and recent findings data that can help you assess the security, privacy, and sensitivity of your Amazon S3 data in the current AWS Region.

Statistics and data are organized into the following sections:

[Storage and sensitive data discovery](#monitoring-s3-dashboard-storage-statistics) \$1 [Automated discovery and coverage issues](#monitoring-s3-dashboard-asdd-statistics) \$1 [Data security](#monitoring-s3-dashboard-security-statistics) \$1 [Top S3 buckets](#monitoring-s3-dashboard-top-buckets-statistics) \$1 [Top finding types](#monitoring-s3-dashboard-top-findings-statistics) \$1 [Policy findings](#monitoring-s3-dashboard-policy-finding-statistics)

As you review each section, optionally choose an item to drill down and review the supporting data. Also note that the dashboard doesn't include data for S3 directory buckets, only general purpose buckets. Macie doesn't monitor or analyze directory buckets.<a name="monitoring-s3-dashboard-storage-statistics"></a>

**Storage and sensitive data discovery**  
At the top of the dashboard, statistics indicate how much data you store in Amazon S3, and how much of that data Macie can analyze to detect sensitive data. The following image shows an example of these statistics for an organization with seven accounts.  

![\[The Storage and sensitive data discovery section of the dashboard. Each field contains example data.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-storage.png)

Individual statistics in this section are:  
+ **Total accounts** – This field appears if you're the Macie administrator for an organization or you have a standalone Macie account. It indicates the total number of AWS accounts that own buckets in your bucket inventory. If you're a Macie administrator, this is the total number of Macie accounts that you manage for your organization. If you have a standalone Macie account, this value is *1*.

  **Total S3 buckets** – This field appears if you have a member account in an organization. It indicates the total number of general purpose buckets in your inventory, including buckets that don't store any objects. 
+ **Storage** – These statistics provide information about the storage size of objects in your bucket inventory:
  + **Classifiable** – The total storage size of all the objects that Macie can analyze in the buckets.
  + **Total** – The total storage size of all the objects in the buckets, including objects that Macie can’t analyze.

  If any of the objects are compressed files, these values don’t reflect the actual size of those files after they’re decompressed. If versioning is enabled for any of the buckets, these values are based on the storage size of the latest version of each object in those buckets.
+ **Objects** – These statistics provide information about the number of objects in your bucket inventory: 
  + **Classifiable** – The total number of objects that Macie can analyze in the buckets.
  + **Total** – The total number of objects in the buckets, including objects that Macie can’t analyze.
In the preceding statistics, data and objects are *classifiable* if they use a supported Amazon S3 storage class and they have a file name extension for a supported file or storage format. You can detect sensitive data in the objects by using Macie. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).  
Note that **Storage** and **Objects** statistics don't include data about objects in buckets that Macie isn't allowed to access. For example, objects in buckets that have restrictive bucket policies. To identify buckets where this is the case, you can [review your bucket inventory](monitoring-s3-inventory-review.md) by using the **S3 buckets** table. If the warning icon (![\[The warning icon, which is a red triangle that has an exclamation point in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-warning-red.png)) appears next to a bucket's name, Macie isn't allowed to access the bucket. 

**Automated discovery** **and** **coverage issues**  
If automated sensitive data discovery is enabled, these sections appear on the dashboard. They capture the status and results of automated sensitive data discovery activities that Macie has performed thus far for your Amazon S3 data. The following image shows an example of the statistics that these sections provide.  

![\[Automated sensitive data discovery statistics on the dashboard. Each statistic has example data.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-sensitivity.png)

For details about these statistics, see [Reviewing data sensitivity statistics on the Summary dashboard](discovery-asdd-results-s3-dashboard.md).

**Data security**  
This section provides statistics that indicate potential security and privacy risks for your Amazon S3 data. The following image shows an example of the statistics in this section.  

![\[The Data security section of the dashboard. It contains example data for each statistic.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-security.png)

For details about these statistics, see [Understanding data security statistics on the Summary dashboard](#monitoring-s3-dashboard-statistics-s3). 

**Top S3 buckets**  
This section lists the S3 buckets that generated the most findings of any type during the preceding seven days, for as many as five buckets. It also indicates the number of findings that Macie created for each bucket. The following image shows an example of the data that this section provides.  

![\[The Top S3 buckets section of the dashboard. It contains example data for five S3 buckets.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-top-buckets.png)

To display and optionally drill down on all the findings for a bucket for the preceding seven days, choose the value in the **Total findings** field. To display all current findings for all of your buckets, grouped by bucket, choose **View all findings by bucket**.  
This section is empty if Macie didn’t create any findings during the preceding seven days. Or all the findings that were created during the preceding seven days were suppressed by a [suppression rule](findings-suppression.md).

**Top finding types**  
This section lists the [types of findings](findings-types.md) that had the highest number of occurrences during the preceding seven days, for as many as five types of findings. It also indicates the number of findings that Macie created for each type. The following image shows an example of the data that this section provides.  

![\[The Top finding types section of the dashboard. It contains example data for five types of findings.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-top-finding-types.png)

To display and optionally drill down on all findings of a particular type for the preceding seven days, choose the value in the **Total findings** field. To display all current findings, grouped by finding type, choose **View all findings by type**.  
This section is empty if Macie didn’t create any findings during the preceding seven days. Or all the findings that were created during the preceding seven days were suppressed by a [suppression rule](findings-suppression.md).

**Policy findings**  
This section lists the [policy findings](findings-types.md#findings-policy-types) that Macie created or updated most recently, for as many as ten findings. The following image shows an example of the data that this section provides.  

![\[The Policy findings section of the dashboard. It contains example data for six policy findings.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-recent-findings-policy.png)

To display the details of a particular finding, choose the finding.  
This section is empty if Macie didn’t create or update any policy findings during the preceding seven days. Or all the policy findings that were created or updated during the preceding seven days were suppressed by a [suppression rule](findings-suppression.md).

## Understanding data security statistics on the Summary dashboard
Understanding data security statistics on the dashboard

The **Data security** section of the **Summary** dashboard provides statistics that can help you identify and investigate potential security and privacy risks for your Amazon S3 data in the current AWS Region. For example, you can use this data to identify general purpose buckets that are publicly accessible or shared with other AWS accounts.

If automated sensitive data discovery is disabled, [storage and sensitive data discovery statistics](#monitoring-s3-dashboard-storage-statistics) at the top of this section indicate how much data you store in Amazon S3, and how much of that data Amazon Macie can analyze to detect sensitive data. Additional statistics are organized into three areas, as shown in the following image.

![\[The Data security section of the dashboard. Each area contains example data.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-security.png)


As you review each area, optionally choose an item to drill down and review the supporting data. Also note that the statistics don't include data for S3 directory buckets, only general purpose buckets. Macie doesn't monitor or analyze directory buckets.

Individual statistics in each area are as follows.

**Public access**  
These statistics indicate how many S3 buckets are or aren't publicly accessible:  
+ **Publicly accessible** – The number and percentage of buckets that allow the general public to have read or write access to the bucket.
+ **Publicly world writable** – The number and percentage of buckets that allow the general public to have write access to the bucket.
+ **Publicly world readable** – The number and percentage of buckets that allow the general public to have read access to the bucket.
+ **Not publicly accessible** – The number and percentage of buckets that don’t allow the general public to have read or write access to the bucket.
To calculate each percentage, Macie divides the number of applicable buckets by the total number of buckets in your bucket inventory.   
To determine the values in this area, Macie analyzes a combination of account- and bucket-level settings for each bucket: the block public access settings for the account; the block public access settings for the bucket; the bucket policy for the bucket; and, the access control list (ACL) for the bucket. For information about these settings, see [Access control](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-management.html) and [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) in the *Amazon Simple Storage Service User Guide*.  
In certain cases, the **Public access** area also displays values for **Unknown**. If these values appear, Macie wasn’t able to evaluate the public access settings for the specified number and percentage of buckets. For example, a temporary issue or the buckets' permissions settings prevented Macie from retrieving the requisite data. Or Macie wasn't able to fully determine whether one or more policy statements allow an external entity to access the buckets. This can also be the case for buckets that exceed the quota for preventative control monitoring. Macie evaluates and monitors the security and privacy of no more than 10,000 buckets for an account—the 10,000 buckets that were most recently created or changed.

**Encryption**  
These statistics indicate how many S3 buckets are configured to apply certain types of server-side encryption to objects that are added to the buckets:  
+ **Encrypt by default – SSE-S3** – The number and percentage of buckets whose default encryption settings are configured to encrypt new objects with an Amazon S3 managed key. For these buckets, new objects are encrypted automatically using SSE-S3 encryption.
+ **Encrypt by default – DSSE-KMS/SSE-KMS** – The number and percentage of buckets whose default encryption settings are configured to encrypt new objects with an AWS KMS key, either an AWS managed key or a customer managed key. For these buckets, new objects are encrypted automatically using DSSE-KMS or SSE-KMS encryption.
To calculate each percentage, Macie divides the number of applicable buckets by the total number of buckets in your bucket inventory.  
To determine the values in this area, Macie analyzes the default encryption settings for each bucket. Starting January 5, 2023, Amazon S3 automatically applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for objects that are added to buckets. You can optionally configure a bucket's default encryption settings to instead use server-side encryption with an AWS KMS key (SSE-KMS) or dual-layer server-side encryption with an AWS KMS key (DSSE-KMS). For information about default encryption settings and options, see [Setting default server-side encryption behavior for S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html) in the *Amazon Simple Storage Service User Guide*.  
In certain cases, the **Encryption** area also displays values for **Unknown**. If these values appear, Macie wasn’t able to evaluate the default encryption settings for the specified number and percentage of buckets. For example, a temporary issue or the buckets' permissions settings prevented Macie from retrieving the requisite data. Or the buckets exceed the quota for preventative control monitoring. Macie evaluates and monitors the security and privacy of no more than 10,000 buckets for an account—the 10,000 buckets that were most recently created or changed.

**Sharing**  
These statistics indicate how many S3 buckets are or aren't shared with other AWS accounts, Amazon CloudFront origin access identities (OAIs), or CloudFront origin access controls (OACs):  
+ **Shared outside** – The number and percentage of buckets that are shared with one or more of the following or any combination of the following: a CloudFront OAI, a CloudFront OAC, or an account that isn’t in the same organization.
+ **Shared inside** – The number and percentage of buckets that are shared with one or more accounts in the same organization. These buckets aren't shared with CloudFront OAIs or OACs.
+ **Not shared** – The number and percentage of buckets that aren’t shared with other accounts, CloudFront OAIs, or CloudFront OACs.
To calculate each percentage, Macie divides the number of applicable buckets by the total number of buckets in your bucket inventory.  
To determine whether buckets are shared with other AWS accounts, Macie analyzes the bucket policy and ACL for each bucket. In addition, an *organization* is defined as a set of Macie accounts that are centrally managed as a group of related accounts through AWS Organizations or by Macie invitation. For information about Amazon S3 options for sharing buckets, see [Access control](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-management.html) in the *Amazon Simple Storage Service User Guide*.  
In certain cases, Macie might incorrectly report that a bucket is shared with an AWS account that isn't in the same organization. This can occur if Macie isn’t able to fully evaluate the relationship between the `Principal` element in a bucket’s policy and certain [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) or [Amazon S3 condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-policy-keys) in the `Condition` element of the policy. This can be the case for the following condition keys: `aws:PrincipalAccount`, `aws:PrincipalArn`, `aws:PrincipalOrgID`, `aws:PrincipalOrgPaths`, `aws:PrincipalTag`, `aws:PrincipalType`, `aws:SourceAccount`, `aws:SourceArn`, `aws:SourceIp`, `aws:SourceOrgID`, `aws:SourceOrgPaths`, `aws:SourceVpc`, `aws:SourceVpce`, `aws:userid`, `s3:DataAccessPointAccount`, and `s3:DataAccessPointArn`.  
To determine whether this is the case for individual buckets, choose the **Shared outside** statistic on the dashboard. In the table that appears, note the name of each bucket. Then use Amazon S3 to review each bucket’s policy and determine whether the shared access settings are intended and safe.
To determine whether buckets are shared with CloudFront OAIs or OACs, Macie analyzes the bucket policy for each bucket. A CloudFront OAI or OAC allows users to access a bucket's objects through one or more specified CloudFront distributions. For information about CloudFront OAIs and OACs, see [Restricting access to an Amazon S3 origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*.  
In certain cases, the **Sharing** area also displays values for **Unknown**. If these values appear, Macie wasn’t able to determine whether the specified number and percentage of buckets are shared with other accounts, CloudFront OAIs, or CloudFront OACs. For example, a temporary issue or the buckets' permissions settings prevented Macie from retrieving the requisite data. Or Macie wasn't able to fully evaluate the buckets' policies or ACLs. This can also be the case for buckets that exceed the quota for preventative control monitoring. Macie evaluates and monitors the security and privacy of no more than 10,000 buckets for an account—the 10,000 buckets that were most recently created or changed.

# Analyzing your Amazon S3 security posture with Macie
Analyzing your Amazon S3 security posture

To help you perform in-depth analysis and evaluate the security posture of your Amazon Simple Storage Service (Amazon S3) data, Amazon Macie generates and maintains an inventory of your S3 general purpose buckets in each AWS Region where you use Macie. To learn how Macie maintains this inventory for you, see [How Macie monitors Amazon S3 data security](monitoring-s3-how-it-works.md). If you're the Macie administrator for an organization, the inventory includes data for S3 buckets that your member accounts own.

By using this inventory, you can review your Amazon S3 data estate, and examine details and statistics for key security settings and metrics that apply to individual S3 buckets. For example, you can access breakdowns of each bucket’s public access and encryption settings, and the size and number of objects that Macie can analyze to detect sensitive data in each bucket. You can also determine whether you configured sensitive data discovery jobs or automated sensitive data discovery to analyze objects in a bucket. If you have, your inventory data indicates when that analysis most recently occurred. If automated sensitive data discovery is enabled, you can also use the inventory to review the results of automated sensitive data discovery activities that Macie has performed thus far for your Amazon S3 data. For more information, see [Discovering sensitive data](data-classification.md).

You can browse and filter inventory data by using the **S3 buckets** page on the Amazon Macie console. You can also access your inventory data programmatically by using the [DescribeBuckets](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) operation of the Amazon Macie API.

**Topics**
+ [Reviewing your S3 bucket inventory](monitoring-s3-inventory-review.md)
+ [Filtering your S3 bucket inventory](monitoring-s3-inventory-filter.md)

# Reviewing your S3 bucket inventory in Macie
Reviewing your S3 bucket inventory

On the Amazon Macie console, the **S3 buckets** page provides detailed insight into the security and privacy of your Amazon Simple Storage Service (Amazon S3) data in the current AWS Region. With this page, you can review and analyze an inventory of your S3 general purpose buckets in the Region, and review detailed information and statistics for individual buckets. For information about how Macie generates and maintains this inventory, see [How Macie monitors Amazon S3 data security](monitoring-s3-how-it-works.md). If you're the Macie administrator for an organization, your inventory includes details and statistics for S3 buckets that your member accounts own.

The **S3 buckets** page also indicates when Macie most recently retrieved bucket or object metadata from Amazon S3 for your account. You can find this information in the **Last updated** field at the top of the page. If you're the Macie administrator for an organization, this field indicates the earliest date and time when Macie retrieved the data for an account in your organization. For more information, see [Data refreshes](monitoring-s3-how-it-works.md#monitoring-s3-how-it-works-data-refresh).

Note that inventory data and statistics don't include data about S3 directory buckets, only general purpose buckets. Macie doesn't monitor or analyze directory buckets. In addition, Macie maintains complete inventory data for no more than 10,000 general purpose buckets for an account. If your account exceeds this quota, Macie provides complete inventory data for the 10,000 buckets that were most recently created or changed. For all other buckets, Macie provides only a subset of information about each bucket. If you're the Macie administrator for an organization, this quota applies to each account in your organization, not your organization overall.

Also note that most inventory data is limited to buckets that Macie is allowed to access for your account. If a bucket's permissions settings prevent Macie from retrieving information about the bucket or the bucket's objects, Macie can only provide a subset of information about the bucket. If this is the case for a particular bucket, Macie displays a warning icon (![\[The warning icon, which is a red triangle that has an exclamation point in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-warning-red.png)) and message for the bucket in your bucket inventory. For the bucket's details, Macie provides data for only a subset of fields: the account ID for the AWS account that owns the bucket; the bucket's name, Amazon Resource Name (ARN), creation date, and Region; and, when Macie most recently retrieved both bucket and object metadata for the bucket as part of the daily refresh cycle. To investigate the issue, review the bucket’s policy and permissions settings in Amazon S3. For example, the bucket might have a restrictive bucket policy. For more information, see [Allowing Macie to access S3 buckets and objects](monitoring-restrictive-s3-buckets.md).

If you prefer to access and query your inventory data programmatically, you can use the [DescribeBuckets](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) operation of the Amazon Macie API.

**Topics**
+ [

## Reviewing your S3 bucket inventory
](#monitoring-s3-inventory-view)
+ [

## Reviewing the details of S3 buckets
](#monitoring-s3-inventory-view-details)

## Reviewing your S3 bucket inventory
Reviewing your bucket inventory

The **S3 buckets** page on the Amazon Macie console provides information about your S3 general purpose buckets in the current AWS Region. On this page, a table displays summary information for each bucket in your inventory. To customize your view, you can sort and filter the table. If you choose a bucket in the table, the details panel displays additional information about the bucket. This includes details and statistics for settings and metrics that provide insight into the security and privacy of the bucket’s data. You can optionally export data from the table to a comma-separated values (CSV) file.

If automated sensitive data discovery is enabled, you also have the option of reviewing your inventory by using an interactive heat map. The map provides a visual representation of data sensitivity across your Amazon S3 data estate. It captures the results of automated sensitive data discovery activities that Macie has performed thus far. To learn about this map, see [Visualizing data sensitivity with the S3 buckets map](discovery-asdd-results-s3-inventory-map.md).

**To review your S3 bucket inventory**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **S3 buckets**. The **S3 buckets** page displays your bucket inventory. If the page displays an interactive map of your inventory, choose table (![\[The table view button, which is a button that displays three black horizontal lines.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-s3-table-view.png)) at the top of the page. Macie then displays the number of buckets in your inventory and a table of the buckets.

   If automated sensitive data discovery is enabled, the default view doesn't display data for buckets that are currently excluded from automated discovery. To display this data, choose **X** in the **Is monitored by automated discovery** filter token below the filter box.

1. At the top of the page, optionally choose refresh (![\[The refresh button, which is a button that displays an empty blue circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-data.png)) to retrieve the latest bucket metadata from Amazon S3.

   If the information icon (![\[The information icon, which is a blue circle that has a lowercase letter i in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-info-blue.png)) appears next to any bucket names, we recommend that you do this. This icon indicates that a bucket was created during the past 24 hours, possibly after Macie last retrieved bucket and object metadata from Amazon S3 as part of the [daily refresh cycle](monitoring-s3-how-it-works.md#monitoring-s3-how-it-works-data-refresh).

1. In the **S3 buckets** table, review a subset of information about each bucket in your inventory:
   + **Sensitivity** – The bucket's current sensitivity score, if automated sensitive data discovery is enabled. For information about the range of sensitivity scores that Macie defines, see [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md).
   + **Bucket** – The name of the bucket.
   + **Account** – The account ID for the AWS account that owns the bucket.
   + **Classifiable objects** – The total number of objects that Macie can analyze to detect sensitive data in the bucket.
   + **Classifiable size** – The total storage size of all the objects that Macie can analyze to detect sensitive data in the bucket.

     Note that this value doesn’t reflect the actual size of any compressed objects after they're decompressed. Also, if versioning is enabled for the bucket, this value is based on the storage size of the latest version of each object in the bucket.
   + **Monitored by job** – Whether you configured any sensitive data discovery jobs to periodically analyze objects in the bucket on a daily, weekly, or monthly basis.

     If the value for this field is *Yes*, the bucket is explicitly included in a periodic job or the bucket matched the criteria for a periodic job within the past 24 hours. In addition, the status of at least one of those jobs is not *Cancelled*. Macie updates this data on a daily basis.
   + **Latest job run** – If you configured any periodic or one-time sensitive data discovery jobs to analyze objects in the bucket, this field indicates the most recent date and time when one of those jobs started to run. Otherwise, a dash (–) appears in this field. 

   In the preceding data, objects are *classifiable* if they use a supported Amazon S3 storage class and they have a file name extension for a supported file or storage format. You can detect sensitive data in the objects by using Macie. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).

1. To analyze your inventory by using the table, do any of the following:
   + To sort the table by a specific field, choose the column heading for the field. To change the sort order, choose the column heading again.
   + To filter the table and display only those buckets that have a specific value for a field, place your cursor in the filter box, and then add a filter condition for the field. To further refine the results, add filter conditions for additional fields. For more information, see [Filtering your S3 bucket inventory](monitoring-s3-inventory-filter.md).

1. To review details and statistics for a particular bucket, choose the bucket's name in the table, and then refer to the details panel.
**Tip**  
You can pivot and drill down on many of the fields in the bucket details panel. To show buckets that have the same value for a field, choose ![\[The zoom in icon, which is a magnifying glass that has a plus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-plus-sign.png) in the field. To show buckets that have other values for a field, choose ![\[The zoom out icon, which is a magnifying glass that has a minus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-minus-sign.png) in the field.

1. To export data from the table to a CSV file, select the checkbox for each row that you want to export, or select the checkbox in the selection column heading to select all rows. Then choose **Export to CSV** at the top of the page. You can export up to 50,000 rows from the table.

## Reviewing the details of S3 buckets
Reviewing bucket details

To review details and statistics for an S3 general purpose bucket, you can use the details panel on the **S3 buckets** page of the Amazon Macie console. The panel displays details and statistics that provide insight into the security and privacy of a bucket’s data.

For example, you can review breakdowns of an S3 bucket’s public access settings, and determine whether a bucket is configured to replicate objects or is shared with other AWS accounts. You can also determine whether you configured any sensitive data discovery jobs to inspect the bucket for sensitive data. If you have, you can access details about the job that ran most recently, and optionally display any findings that the job produced.

If automated sensitive data discovery is enabled, you can also use the details panel to review sensitive data discovery statistics and other information about individual S3 buckets. The panel captures the results of automated sensitive data discovery activities that Macie has performed thus far for a bucket. To learn about these details, see [Reviewing data sensitivity details for S3 buckets](discovery-asdd-results-s3-inventory-details.md).

**To review the details of an S3 bucket**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **S3 buckets**. The **S3 buckets** page displays your bucket inventory.

   If automated sensitive data discovery is enabled, the default view doesn't display data for buckets that are currently excluded from automated discovery. To display this data, choose **X** in the **Is monitored by automated discovery** filter token below the filter box.

1. At the top of the page, optionally choose refresh (![\[The refresh button, which is a button that displays an empty blue circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-data.png)) to retrieve the latest bucket metadata from Amazon S3.

1. Choose the bucket whose details you want to review. The details panel displays statistics and other information about the bucket.<a name="monitoring-s3-inventory-bucket-details"></a>

In the details panel, statistics and information are organized into the following primary sections:

[**Overview**](#monitoring-s3-inventory-view-details-general) \$1 [**Object statistics**](#monitoring-s3-inventory-view-details-objects) \$1 [**Server-side encryption**](#monitoring-s3-inventory-view-details-sse) \$1 [**Sensitive data discovery**](#monitoring-s3-inventory-view-details-discovery) \$1 [**Public access**](#monitoring-s3-inventory-view-details-public-access) \$1 [**Replication**](#monitoring-s3-inventory-view-details-replication) \$1 [**Tags**](#monitoring-s3-inventory-view-details-tags)

As you review the information in each section, you can optionally pivot and drill down on certain fields. To show buckets that have the same value for a field, choose ![\[The zoom in icon, which is a magnifying glass that has a plus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-plus-sign.png) in the field. To show buckets that have other values for a field, choose ![\[The zoom out icon, which is a magnifying glass that has a minus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-minus-sign.png) in the field.

### Overview


This section provides general information about the bucket, such as the bucket’s name, when the bucket was created, and the account ID for the AWS account that owns the bucket. Of special note, the **Last updated** field indicates when Macie most recently retrieved metadata from Amazon S3 for the bucket or the bucket’s objects.

The **Shared access** field indicates whether the bucket is shared with another AWS account, an Amazon CloudFront origin access identity (OAI), or a CloudFront origin access control (OAC):
+ **External** – The bucket is shared with one or more of the following or any combination of the following: a CloudFront OAI, a CloudFront OAC, or an account that's external to (not part of) your organization.
+ **Internal** – The bucket is shared with one or more accounts that are internal to (part of) your organization. It isn't shared with a CloudFront OAI or OAC.
+ **Not shared** – The bucket isn't shared with another account, a CloudFront OAI, or a CloudFront OAC.
+ **Unknown** – Macie wasn't able to evaluate the shared access settings for the bucket. For example, a quota or temporary issue prevented Macie from retrieving and evaluating the requisite data.

To determine whether a bucket is shared with another AWS account, Macie analyzes the bucket policy and access control list (ACL) for the bucket. The analysis is limited to bucket-level settings. It doesn’t reflect any object-level settings for sharing specific objects in the bucket. In addition, an *organization* is defined as a set of Macie accounts that are centrally managed as a group of related accounts through AWS Organizations or by Macie invitation. To learn about Amazon S3 options for sharing buckets, see [Access control](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-management.html) in the *Amazon Simple Storage Service User Guide*.

**Note**  
In certain cases, Macie might incorrectly indicate that a bucket is shared with an AWS account that's external to (not part of) your organization. This can occur if Macie isn’t able to fully evaluate the relationship between the `Principal` element in the bucket’s policy and certain [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) or [Amazon S3 condition keys](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-policy-keys) in the `Condition` element of the policy. This can be the case for the following condition keys: `aws:PrincipalAccount`, `aws:PrincipalArn`, `aws:PrincipalOrgID`, `aws:PrincipalOrgPaths`, `aws:PrincipalTag`, `aws:PrincipalType`, `aws:SourceAccount`, `aws:SourceArn`, `aws:SourceIp`, `aws:SourceOrgID`, `aws:SourceOrgPaths`, `aws:SourceVpc`, `aws:SourceVpce`, `aws:userid`, `s3:DataAccessPointAccount`, and `s3:DataAccessPointArn`.  
We recommend that you review the bucket’s policy to determine whether this access is intended and safe.

To determine whether a bucket is shared with a CloudFront OAI or OAC, Macie analyzes the bucket policy for the bucket. A CloudFront OAI or OAC allows users to access a bucket's objects through one or more specified CloudFront distributions. To learn about CloudFront OAIs and OACs, see [Restricting access to an Amazon S3 origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*.

The **Overview** section also includes the **Latest automated discovery run** field. This field indicates when Macie most recently analyzed objects in the bucket while performing automated sensitive data discovery. If this analysis hasn't occurred, a dash (–) appears in this field.

### Object statistics


This section provides information about the objects in the bucket, starting with the total number of objects in the bucket (**Total count**), the total storage size of all those objects (**Total storage size**), and the total storage size of all the objects that are compressed (.gz, .gzip, or .zip) files (**Total compressed size**). Additional statistics in this section can help you assess how much data Macie can analyze to detect sensitive data in the bucket.

If you recently created the bucket or made significant changes to the bucket's objects during the past 24 hours, optionally choose refresh (![\[The refresh button, which is a button that displays an empty, dark gray circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-object-data.png)) to retrieve the latest metadata for the bucket's objects. Macie displays the information icon (![\[The information icon, which is a blue circle that has a lowercase letter i in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-info-blue.png)) to help you determine whether this might be the case. The refresh option is available if a bucket stores 30,000 or fewer objects.

As you review the statistics in this section, keep the following in mind:
+ If versioning is enabled for the bucket, size values are based on the storage size of the latest version of each object in the bucket.
+ If the bucket stores compressed objects, size values don't reflect the actual size of those objects after they're decompressed.
+ If you refresh object metadata for a bucket, Macie temporarily reports *Unknown* for encryption statistics that apply to the objects. Macie will re-evaluate and update the data for these statistics when it performs the next [daily refresh](monitoring-s3-how-it-works.md#monitoring-s3-how-it-works-data-refresh) of bucket and object metadata, which is within 24 hours.
+ By default, object counts and size values include data for any object parts that the bucket contains as a result of incomplete multipart uploads. If you refresh object metadata for a bucket, Macie excludes data for object parts from the recalculated values. When Macie performs the next daily refresh of bucket and object metadata (within 24 hours), Macie recalculates and updates the values for these statistics and includes data for object parts in the values again.

  Note that Macie can't analyze object parts to detect sensitive data. Amazon S3 must first finish assembling the parts into one or more objects for Macie to analyze. For information about multipart uploads and object parts, including how to delete parts automatically with lifecycle rules, see [Uploading and copying objects using multipart upload](https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html) in the *Amazon Simple Storage Service User Guide*. To identify buckets that contain object parts, you can refer to *incomplete multipart upload* metrics in Amazon S3 Storage Lens. For more information, see [Assessing your storage activity and usage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens.html) in the *Amazon Simple Storage Service User Guide*. 

Object statistics are organized as follows.

**Classifiable objects**  
This section indicates the total number of objects that Macie can analyze to detect sensitive data and the total storage size of those objects. These objects use a supported Amazon S3 storage class and have a file name extension for a supported file or storage format. You can detect sensitive data in the objects by using Macie. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).

**Unclassifiable objects**  
This section indicates the total number of objects that Macie can’t analyze to detect sensitive data and the total storage size of those objects. These objects don’t use a supported Amazon S3 storage class or they don’t have a file name extension for a supported file or storage format.

**Unclassifiable objects: Storage class**  
This section provides a breakdown of the number and storage size of the objects that Macie can’t analyze because the objects don’t use a supported Amazon S3 storage class. 

**Unclassifiable objects: File type**  
This section provides a breakdown of the number and storage size of the objects that Macie can’t analyze because the objects don’t have a file name extension for a supported file or storage format.

**Objects by encryption type**  
This section provides a breakdown of the number of objects that use each type of encryption that Amazon S3 supports:  
+ **Customer provided** – The number of objects that are encrypted with a customer-provided key. These objects use SSE-C encryption.
+ **AWS KMS managed** – The number of objects that are encrypted with an AWS KMS key, either an AWS managed key or a customer managed key. These objects use DSSE-KMS or SSE-KMS encryption.
+ **Amazon S3 managed** – The number of objects that are encrypted with an Amazon S3 managed key. These objects use SSE-S3 encryption.
+ **No encryption** – The number of objects that aren’t encrypted or use client-side encryption. (If an object is encrypted using client-side encryption, Macie can't access and report encryption data for the object.) 
+ **Unknown** – The number of objects that Macie doesn't have current encryption metadata for. This typically occurs if you recently chose to manually refresh the metadata for the bucket's objects. Macie will update the encryption statistics when it performs the next daily refresh of bucket and object metadata, which is within 24 hours.
For information about each supported encryption type, see [Protecting data with encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html) in the *Amazon Simple Storage Service User Guide*.

### Server-side encryption


This section provides insight into the server-side encryption settings for the bucket.

The **Encryption required by bucket policy** field indicates whether the bucket's policy requires server-side encryption of objects when objects are added to the bucket:
+ **No** – The bucket doesn't have a bucket policy or the bucket's policy doesn't require server-side encryption of new objects. If a bucket policy exists, it doesn't require [PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) requests to include a valid server-side encryption header.
+ **Yes** – The bucket's policy requires server-side encryption of new objects. **PutObject** requests for the bucket must include a valid server-side encryption header. Otherwise, Amazon S3 denies the request.
+ **Unknown** – Macie wasn't able to evaluate the bucket's policy to determine whether it requires server-side encryption of new objects. For example, a quota or issue prevented Macie from retrieving and evaluating the policy.

For this assessment, valid server-side encryption headers are: `x-amz-server-side-encryption` with a value of `AES256` or `aws:kms`, and `x-amz-server-side-encryption-customer-algorithm` with a value of `AES256`. For information about using bucket policies to require server-side encryption of new objects, see [Protecting data with server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html) in the *Amazon Simple Storage Service User Guide*.

The **Default encryption** field indicates which server-side encryption algorithm the bucket is configured to apply by default to objects that are added to the bucket:
+ **AES256** – The bucket's default encryption settings are configured to encrypt new objects with an Amazon S3 managed key. New objects are encrypted automatically using SSE-S3 encryption.
+ **aws:kms** – The bucket's default encryption settings are configured to encrypt new objects with an AWS KMS key, either an AWS managed key or a customer managed key. New objects are encrypted automatically using SSE-KMS encryption. The **AWS KMS key** field shows the Amazon Resource Name (ARN) or unique identifier (key ID) for the key that's used.
+ **aws:kms:dsse** – The bucket's default encryption settings are configured to encrypt new objects with an AWS KMS key, either an AWS managed key or a customer managed key. New objects are encrypted automatically using DSSE-KMS encryption. The **AWS KMS key** field shows the ARN or key ID for the key that's used.
+ **None** – The bucket's default encryption settings don't specify server-side encryption behavior for new objects.

Starting January 5, 2023, Amazon S3 automatically applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for objects that are added to buckets. You can optionally configure a bucket's default encryption settings to instead use server-side encryption with an AWS KMS key (SSE-KMS) or dual-layer server-side encryption with an AWS KMS key (DSSE-KMS). For information about default encryption settings and options, see [Setting default server-side encryption behavior for S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html) in the *Amazon Simple Storage Service User Guide*.

### Sensitive data discovery


This section indicates whether you configured any sensitive data discovery jobs to periodically analyze objects in the bucket on a daily, weekly, or monthly basis. If the value for the **Actively monitored by job** field is *Yes*, the bucket is explicitly included in a periodic job or the bucket matched the criteria for a periodic job within the past 24 hours. In addition, the status of at least one of those jobs is not *Cancelled*. Macie updates this data on a daily basis.

If you configured any type of sensitive data discovery job (either a periodic job or a one-time job) to analyze objects in the bucket, the **Latest job** field provides the unique identifier for the job that most recently started to run. The **Latest job run** field indicates when that job started to run.

**Tip**  
To display all the sensitive data findings that the job produced, choose the link in the **Latest job** field. In the job details panel that appears, choose **Show results** at the top of the panel, and then choose **Show findings**.

### Public access


This section indicates whether the bucket is publicly accessible. It also provides a breakdown of the various account- and bucket-level settings that determine whether this is the case. The **Effective permission** field indicates the cumulative result of these settings:
+ **Not public** – The bucket isn’t publicly accessible.
+ **Public** – The bucket is publicly accessible.
+ **Unknown** – Macie wasn’t able to evaluate all the public access settings for the bucket. For example, a quota or temporary issue prevented Macie from retrieving and evaluating the requisite data.

For this evaluation, Macie analyzes a combination of account- and bucket-level settings for each bucket: the block public access settings for the account; the block public access settings for the bucket; the bucket policy for the bucket; and, the access control list (ACL) for the bucket. Note that the evaluation doesn’t include object-level settings that enable public access to specific objects in a bucket.

To learn about Amazon S3 settings for managing public access to buckets and bucket data, see [Access control](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-management.html) and [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) in the *Amazon Simple Storage Service User Guide*.

### Replication


In this section, the **Replicated** field indicates whether the bucket is configured to replicate objects to other buckets. If the value for this field is *Yes*, one or more replication rules are configured and enabled for the bucket. This section then also lists the account ID for each AWS account that owns a destination bucket.

The **Replicated externally** field indicates whether the bucket is configured to replicate objects to buckets for AWS accounts that are external to (not part of) your organization. An *organization* is a set of Macie accounts that are centrally managed as a group of related accounts through AWS Organizations or by Macie invitation. If the value for this field is *Yes*, a replication rule is configured and enabled for the bucket, and the rule is configured to replicate objects to a bucket that's owned by an external AWS account. 

**Note**  
Under certain conditions, Macie might incorrectly indicate that a bucket is configured to replicate objects to a bucket that's owned by an external AWS account. This can occur if the destination bucket was created in a different AWS Region during the preceding 24 hours, after Macie retrieved bucket and object metadata from Amazon S3 as part of the [daily refresh cycle](monitoring-s3-how-it-works.md#monitoring-s3-how-it-works-data-refresh). To investigate the issue by using Macie, choose refresh (![\[The refresh button, which is a button that displays an empty blue circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-data.png)) to retrieve the latest bucket metadata from Amazon S3. Then review the list of account IDs in this section. For deeper investigation, use Amazon S3 to review the replication rules for the bucket.

To learn about Amazon S3 options and settings for replicating bucket objects, see [Replicating objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html) in the *Amazon Simple Storage Service User Guide*.

### Tags


If tags are associated with the bucket, this section appears in the panel and lists those tags. Tags are labels that you can define and assign to certain types of AWS resources, including S3 buckets. Each tag consists of a required tag key and an optional tag value.

To learn about tagging buckets, see [Using cost allocation S3 bucket tags](https://docs.aws.amazon.com/AmazonS3/latest/userguide/CostAllocTagging.html) in the *Amazon Simple Storage Service User Guide*.

# Filtering your S3 bucket inventory in Macie
Filtering your S3 bucket inventory

To identify and focus on buckets that have specific characteristics, you can filter your S3 bucket inventory on the Amazon Macie console and in queries that you submit programmatically using the Amazon Macie API. When you create a filter, you use specific bucket attributes to define criteria for including or excluding buckets from a view or from query results. A *bucket attribute* is a field that stores specific metadata for a bucket.

In Macie, a filter consists of one or more conditions. Each condition, also referred to as a *criterion*, consists of three parts:
+ An attribute-based field, such as **Bucket name**, **Tag key**, or **Defined in job**.
+ An operator, such as *equals* or *not equals*.
+ One or more values. The type and number of values depends on the field and operator that you choose.

How you define and apply filter conditions depends on whether you use the Amazon Macie console or the Amazon Macie API.

**Topics**
+ [Filtering your inventory on the console](#monitoring-s3-inventory-filter-console)
+ [Filtering your inventory programmatically](#monitoring-s3-inventory-filter-api)

## Filtering your inventory on the Amazon Macie console
Filtering your inventory on the console

If you use the Amazon Macie console to filter your S3 bucket inventory, Macie provides options to help you choose fields, operators, and values for individual conditions. You access these options by using the filter box on the **S3 buckets** page, as shown in the following image.

![\[The filter box on the S3 buckets page.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-buckets-filter-bar-empty.png)


When you place your cursor in the filter box, Macie displays a list of fields that you can use in filter conditions. The fields are organized by logical category. For example, the **Common fields** category includes fields that store general information about an S3 bucket. **Public access** categories include fields that store data about the various types of public access settings that can apply to a bucket. The fields are sorted alphabetically within each category.

To add a condition, start by choosing a field from the list. To find a field, browse the complete list, or enter part of the field's name to narrow the list of fields.

Depending on the field that you choose, Macie displays different options. The options reflect the type and nature of the field that you choose. For example, if you choose the **Shared access** field, Macie displays a list of values to choose from. If you choose the **Bucket name** field, Macie displays a text box in which you can enter the name of an S3 bucket. Whichever field you choose, Macie guides you through the steps to add a condition that includes the required settings for the field.

After you add a condition, Macie applies the criteria for the condition and displays the condition in a filter token below the filter box, as shown in the following image.

![\[The filter box with a filter token for a condition.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-buckets-filter-bar-public.png)


In this example, the condition is configured to include all buckets that are publicly accessible, and to exclude all other buckets. It returns buckets where the value for the **Effective permission** field *equals* **Public**.

As you add more conditions, Macie applies their criteria and displays them below the filter box. If you add multiple conditions, Macie uses AND logic to join the conditions and evaluate the filter criteria. This means that an S3 bucket matches the filter criteria only if it matches all the conditions in the filter. You can refer to the area below the filter box at any time to determine which criteria you've applied.

**To filter your inventory by using the console**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **S3 buckets**. The **S3 buckets** page displays your bucket inventory.

   If automated sensitive data discovery is enabled, the default view doesn't display data for buckets that are currently excluded from automated discovery. If you're the Macie administrator for an organization, it also doesn't display data for accounts that automated discovery is currently disabled for. To display this data, choose **X** in the **Is monitored by automated discovery** filter token below the filter box.

1. At the top of the page, optionally choose refresh (![\[The refresh button, which is a button that displays an empty blue circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-data.png)) to retrieve the latest bucket metadata from Amazon S3.

1. Place your cursor in the filter box, and then choose the field to use for the condition. 

1. Choose or enter the appropriate type of value for the field, keeping the following tips in mind.

     
**Dates, times, and time ranges**  
For dates and times, use the **From** and **To** boxes to define an inclusive time range:  
   + To define a fixed time range, use the **From** and **To** boxes to specify the first date and time and the last date and time in the range, respectively.
   + To define a relative time range that starts at a certain date and time and ends at the current time, enter the start date and time in the **From** boxes, and delete any text in **To** boxes.
   + To define a relative time range that ends at a certain date and time, enter the end date and time in the **To** boxes, and delete any text in the **From** boxes.
Note that time values use 24-hour notation. If you use the date picker to choose dates, you can refine the values by entering text directly in the **From** and **To** boxes.  
**Numbers and numeric ranges**  
For numeric values, use the **From** and **To** boxes to enter integers that define an inclusive numeric range:  
   + To define a fixed numeric range, use the **From** and **To** boxes to specify the lowest and highest numbers in the range, respectively. 
   + To define a fixed numeric range that's limited to one specific value, enter the value in both the **From** and **To** boxes. For example, to include only those S3 buckets that store exactly 15 objects, enter **15** in the **From** and **To** boxes.
   + To define a relative numeric range that starts at a certain number, enter the number in the **From** box, and don’t enter any text in the **To** box.
   + To define a relative numeric range that ends at a certain number, enter the number in the **To** box, and don’t enter any text in the **From** box.  
**Text (string) values**  
For this type of value, enter a complete, valid value for the field. Values are case sensitive.  
Note that you can’t use a partial value or wildcard characters in this type of value. The only exception is the **Bucket name** field. For that field, you can specify a prefix instead of a complete bucket name. For example, to find all S3 buckets whose names begin with *my-S3*, enter **my-S3** as the filter value for **Bucket name** field. If you enter any other value, such as **My-s3** or **my\$1**, Macie won’t return the buckets.

1. When you finish adding a value for the field, choose **Apply**. Macie applies the filter criteria and displays the condition in a filter token below the filter box.

1. Repeat steps 4 through 6 for each additional condition that you want to add.

1. To remove a condition, choose the **X** in the filter token for the condition.

1. To change a condition, remove the condition by choosing the **X** in the filter token for the condition. Then repeat steps 4 through 6 to add a condition with the correct settings.

## Filtering your inventory programmatically with the Amazon Macie API
Filtering your inventory programmatically

To filter your S3 bucket inventory programmatically, specify filter criteria in queries that you submit using the [DescribeBuckets](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) operation of the Amazon Macie API. This operation returns an array of objects. Each object contains statistical data and other information about a bucket that matches the filter criteria.

To specify filter criteria in a query, include a map of filter conditions in your request. For each condition, specify a field, an operator, and one or more values for the field. The type and number of values depends on the field and operator that you choose. For information about the fields, operators, and types of values that you can use in a condition, see [Amazon S3 Data Sources](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) in the *Amazon Macie API Reference*.

The following examples show you how to specify filter criteria in queries that you submit using the [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html). You can also do this by using a current version of another AWS command line tool or an AWS SDK, or by sending HTTPS requests directly to Macie. For information about AWS tools and SDKs, see [Tools to Build on AWS](https://aws.amazon.com/developer/tools/).

**Topics**
+ [Find buckets by bucket name](#monitoring-s3-inventory-filter-api-example1)
+ [Find buckets that are publicly accessible](#monitoring-s3-inventory-filter-api-example2)
+ [Find buckets that store unencrypted objects](#monitoring-s3-inventory-filter-api-example3)
+ [Find buckets that replicate data to external accounts](#monitoring-s3-inventory-filter-api-example5)
+ [Find buckets that aren’t monitored by a sensitive data discovery job](#monitoring-s3-inventory-filter-api-example4)
+ [Find buckets that aren’t monitored by automated sensitive data discovery](#monitoring-s3-inventory-filter-api-example-asdd)
+ [Find buckets based on multiple criteria](#monitoring-s3-inventory-filter-api-example6)

The examples use the [describe-buckets](https://docs.aws.amazon.com/cli/latest/reference/macie2/describe-buckets.html) command. If the command runs successfully, Macie returns a `buckets` array. The array contains an object for each bucket that’s in the current AWS Region and matches the filter criteria. For an example of this output, expand the following section.

### Example of a `buckets` array


In this example, the `buckets` array provides details about two buckets that match the filter criteria specified in a query.

```
{
    "buckets": [
        {
            "accountId": "123456789012",
            "allowsUnencryptedObjectUploads": "FALSE",
            "automatedDiscoveryMonitoringStatus": "MONITORED", 
            "bucketArn": "arn:aws:s3:::amzn-s3-demo-bucket1",
            "bucketCreatedAt": "2020-05-18T19:54:00+00:00",
            "bucketName": "amzn-s3-demo-bucket1",
            "classifiableObjectCount": 13,
            "classifiableSizeInBytes": 1592088,
            "jobDetails": {
                "isDefinedInJob": "TRUE",
                "isMonitoredByJob": "TRUE",
                "lastJobId": "08c81dc4a2f3377fae45c9ddaexample",
                "lastJobRunTime": "2024-05-26T14:55:30.270000+00:00"
            },
            "lastAutomatedDiscoveryTime": "2024-06-07T19:11:25.364000+00:00",
            "lastUpdated": "2024-06-12T07:33:06.337000+00:00",
            "objectCount": 13,
            "objectCountByEncryptionType": {
                "customerManaged": 0,
                "kmsManaged": 2,
                "s3Managed": 7,
                "unencrypted": 4,
                "unknown": 0
            },
            "publicAccess": {
                "effectivePermission": "NOT_PUBLIC",
                "permissionConfiguration": {
                    "accountLevelPermissions": {
                        "blockPublicAccess": {
                            "blockPublicAcls": true,
                            "blockPublicPolicy": true,
                            "ignorePublicAcls": true,
                            "restrictPublicBuckets": true
                        }
                    },
                    "bucketLevelPermissions": {
                        "accessControlList": {
                            "allowsPublicReadAccess": false,
                            "allowsPublicWriteAccess": false
                        },
                        "blockPublicAccess": {
                            "blockPublicAcls": true,
                            "blockPublicPolicy": true,
                            "ignorePublicAcls": true,
                            "restrictPublicBuckets": true
                        },
                        "bucketPolicy": {
                            "allowsPublicReadAccess": false,
                            "allowsPublicWriteAccess": false
                        }
                    }
                }
            },
            "region": "us-east-1",
            "replicationDetails": {
                "replicated": false,
                "replicatedExternally": false,
                "replicationAccounts": []
            },
            "sensitivityScore": 78,
            "serverSideEncryption": {
                "kmsMasterKeyId": null,
                "type": "NONE"
            },
            "sharedAccess": "NOT_SHARED",
            "sizeInBytes": 4549746,
            "sizeInBytesCompressed": 0,
            "tags": [
                {
                    "key": "Division",
                    "value": "HR"
                },
                {
                    "key": "Team",
                    "value": "Recruiting"
                }
            ],
            "unclassifiableObjectCount": {
                "fileType": 0,
                "storageClass": 0,
                "total": 0
            },
            "unclassifiableObjectSizeInBytes": {
                "fileType": 0,
                "storageClass": 0,
                "total": 0
            },
            "versioning": true
        },
        {
            "accountId": "123456789012",
            "allowsUnencryptedObjectUploads": "TRUE",
            "automatedDiscoveryMonitoringStatus": "MONITORED",
            "bucketArn": "arn:aws:s3:::amzn-s3-demo-bucket2",
            "bucketCreatedAt": "2020-11-25T18:24:38+00:00",
            "bucketName": "amzn-s3-demo-bucket2",
            "classifiableObjectCount": 8,
            "classifiableSizeInBytes": 133810,
            "jobDetails": {
                "isDefinedInJob": "TRUE",
                "isMonitoredByJob": "FALSE",
                "lastJobId": "188d4f6044d621771ef7d65f2example",
                "lastJobRunTime": "2024-04-09T19:37:11.511000+00:00"
            },
            "lastAutomatedDiscoveryTime": "2024-06-07T19:11:25.364000+00:00",
            "lastUpdated": "2024-06-12T07:33:06.337000+00:00",
            "objectCount": 8,
            "objectCountByEncryptionType": {
                "customerManaged": 0,
                "kmsManaged": 0,
                "s3Managed": 8,
                "unencrypted": 0,
                "unknown": 0
            },
            "publicAccess": {
                "effectivePermission": "NOT_PUBLIC",
                "permissionConfiguration": {
                    "accountLevelPermissions": {
                        "blockPublicAccess": {
                            "blockPublicAcls": true,
                            "blockPublicPolicy": true,
                            "ignorePublicAcls": true,
                            "restrictPublicBuckets": true
                        }
                    },
                    "bucketLevelPermissions": {
                        "accessControlList": {
                            "allowsPublicReadAccess": false,
                            "allowsPublicWriteAccess": false
                        },
                        "blockPublicAccess": {
                            "blockPublicAcls": true,
                            "blockPublicPolicy": true,
                            "ignorePublicAcls": true,
                            "restrictPublicBuckets": true
                        },
                        "bucketPolicy": {
                            "allowsPublicReadAccess": false,
                            "allowsPublicWriteAccess": false
                        }
                    }
                }
            },
            "region": "us-east-1",
            "replicationDetails": {
                "replicated": false,
                "replicatedExternally": false,
                "replicationAccounts": []
            },
            "sensitivityScore": 95,
            "serverSideEncryption": {
                "kmsMasterKeyId": null,
                "type": "AES256"
            },
            "sharedAccess": "EXTERNAL",
            "sizeInBytes": 175978,
            "sizeInBytesCompressed": 0,
            "tags": [
                {
                    "key": "Division",
                    "value": "HR"
                },
                {
                    "key": "Team",
                    "value": "Recruiting"
                }
            ],
            "unclassifiableObjectCount": {
                "fileType": 3,
                "storageClass": 0,
                "total": 3
            },
            "unclassifiableObjectSizeInBytes": {
                "fileType": 2999826,
                "storageClass": 0,
                "total": 2999826
            },
            "versioning": true
        }
    ]
}
```

If no buckets match the filter criteria, Macie returns an empty `buckets` array.

```
{
    "buckets": []
}
```

### Example: Find buckets by bucket name
Find buckets by bucket name

This example queries metadata for buckets that are in the current AWS Region and have names beginning with *my-S3*.

For Linux, macOS, or Unix:

```
$ aws macie2 describe-buckets --criteria '{"bucketName":{"prefix":"my-S3"}}'
```

For Microsoft Windows:

```
C:\> aws macie2 describe-buckets --criteria={\"bucketName\":{\"prefix\":\"my-S3\"}}
```

Where:
+ *bucketName* specifies the JSON name of the **Bucket name** field.
+ *prefix* specifies the *prefix* operator.
+ *my-S3* is the value for the **Bucket name** field.

### Example: Find buckets that are publicly accessible
Find buckets that are publicly accessible

This example queries metadata for buckets that are in the current AWS Region and, based on a combination of permissions settings, are publicly accessible.

For Linux, macOS, or Unix:

```
$ aws macie2 describe-buckets --criteria '{"publicAccess.effectivePermission":{"eq":["PUBLIC"]}}'
```

For Microsoft Windows:

```
C:\> aws macie2 describe-buckets --criteria={\"publicAccess.effectivePermission\":{\"eq\":[\"PUBLIC\"]}}
```

Where:
+ *publicAccess.effectivePermission* specifies the JSON name of the **Effective permission** field.
+ *eq* specifies the *equals* operator.
+ *PUBLIC* is an enumerated value for the **Effective permission** field.

### Example: Find buckets that store unencrypted objects
Find buckets that store unencrypted objects

This example queries metadata for buckets that are in the current AWS Region and store unencrypted objects.

For Linux, macOS, or Unix:

```
$ aws macie2 describe-buckets --criteria '{"objectCountByEncryptionType.unencrypted":{"gte":1}}'
```

For Microsoft Windows:

```
C:\> aws macie2 describe-buckets --criteria={\"objectCountByEncryptionType.unencrypted\":{\"gte\":1}}
```

Where:
+ *objectCountByEncryptionType.unencrypted* specifies the JSON name of the **No encryption** field.
+ *gte* specifies the *greater than or equal to* operator.
+ *1* is the lowest value in an inclusive, relative numeric range for the **No encryption** field.

### Example: Find buckets that replicate data to external accounts
Find buckets that replicate data to external accounts

This example queries metadata for buckets that are in the current AWS Region and are configured to replicate objects to buckets for an AWS account that isn’t part of your organization.

For Linux, macOS, or Unix:

```
$ aws macie2 describe-buckets --criteria '{"replicationDetails.replicatedExternally":{"eq":["true"]}}'
```

For Microsoft Windows:

```
C:\> aws macie2 describe-buckets --criteria={\"replicationDetails.replicatedExternally\":{\"eq\":[\"true\"]}}
```

Where:
+ *replicationDetails.replicatedExternally* specifies the JSON name of the **Replicated externally** field.
+ *eq* specifies the *equals* operator.
+ *true* specifies a Boolean value for the **Replicated externally** field. 

### Example: Find buckets that aren’t monitored by a sensitive data discovery job
Find buckets that aren’t monitored by a sensitive data discovery job

This example queries metadata for buckets that are in the current AWS Region and aren’t associated with any periodic sensitive data discovery jobs.

For Linux, macOS, or Unix:

```
$ aws macie2 describe-buckets --criteria '{"jobDetails.isMonitoredByJob":{"eq":["FALSE"]}}'
```

For Microsoft Windows:

```
C:\> aws macie2 describe-buckets --criteria={\"jobDetails.isMonitoredByJob\":{\"eq\":[\"FALSE\"]}}
```

Where:
+ *jobDetails.isMonitoredByJob* specifies the JSON name of the **Actively monitored by job** field.
+ *eq* specifies the *equals* operator.
+ *FALSE* is an enumerated value for the **Actively monitored by job** field.

### Example: Find buckets that aren’t monitored by automated sensitive data discovery
Find buckets that aren’t monitored by automated sensitive data discovery

This example queries metadata for buckets that are in the current AWS Region and are excluded from automated sensitive data discovery.

For Linux, macOS, or Unix:

```
$ aws macie2 describe-buckets --criteria '{"automatedDiscoveryMonitoringStatus":{"eq":["NOT_MONITORED"]}}'
```

For Microsoft Windows:

```
C:\> aws macie2 describe-buckets --criteria={\"automatedDiscoveryMonitoringStatus\":{\"eq\":[\"NOT_MONITORED\"]}}
```

Where:
+ *automatedDiscoveryMonitoringStatus* specifies the JSON name of the **Is monitored by automated discovery** field.
+ *eq* specifies the *equals* operator.
+ *NOT\$1MONITORED* is an enumerated value for the **Is monitored by automated discovery** field.

### Example: Find buckets based on multiple criteria
Find buckets based on multiple criteria

This example queries metadata for buckets that are in the current AWS Region and match the following criteria: are publicly accessible based on a combination of permission settings; store unencrypted objects; and, aren’t associated with any periodic sensitive data discovery jobs.

For Linux, macOS, or Unix, using the backslash (\$1) line-continuation character to improve readability:

```
$ aws macie2 describe-buckets \
--criteria '{"publicAccess.effectivePermission":{"eq":["PUBLIC"]},"objectCountByEncryptionType.unencrypted":{"gte":1},"jobDetails.isMonitoredByJob":{"eq":["FALSE"]}}'
```

For Microsoft Windows, using the caret (^) line-continuation character to improve readability:

```
C:\> aws macie2 describe-buckets ^
--criteria={\"publicAccess.effectivePermission\":{\"eq\":[\"PUBLIC\"]},\"objectCountByEncryptionType.unencrypted\":{\"gte\":1},\"jobDetails.isMonitoredByJob\":{\"eq\":[\"FALSE\"]}}
```

Where:
+ *publicAccess.effectivePermission* specifies the JSON name of the **Effective permission** field, and:
  + *eq* specifies the *equals* operator.
  + *PUBLIC* is an enumerated value for the **Effective permission** field.
+ *objectCountByEncryptionType.unencrypted* specifies the JSON name of the **No encryption** field, and:
  + *gte* specifies the *greater than or equal to* operator.
  + *1* is the lowest value in an inclusive, relative numeric range for the **No encryption** field.
+ *jobDetails.isMonitoredByJob* specifies the JSON name of the **Actively monitored by job** field, and:
  + *eq* specifies the *equals* operator.
  + *FALSE* is an enumerated value for the **Actively monitored by job** field. 

# Allowing Macie to access S3 buckets and objects
Allowing Macie to access S3 buckets and objects

When you enable Amazon Macie for your AWS account, Macie creates a [service-linked role](service-linked-roles.md) that grants Macie the permissions that it requires to call Amazon Simple Storage Service (Amazon S3) and other AWS services on your behalf. A service-linked role simplifies the process of setting up an AWS service because you don't have to manually add permissions for the service to complete actions on your behalf. To learn about this type of role, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*.

The permissions policy for the Macie service-linked role (`AWSServiceRoleForAmazonMacie`) allows Macie to perform actions that include retrieving information about your S3 buckets and objects, and retrieving objects from your buckets. If you're the Macie administrator for an organization, the policy also allows Macie to perform these actions on your behalf for member accounts in your organization.

Macie uses these permissions to perform tasks such as:
+ Generate and maintain an inventory of your S3 general purpose buckets.
+ Provide statistical and other data about the buckets and objects in the buckets.
+ Monitor and evaluate the buckets for security and access control.
+ Analyze objects in the buckets to detect sensitive data.

In most cases, Macie has the permissions that it needs to perform these tasks. However, if an S3 bucket has a restrictive bucket policy, the policy might prevent Macie from performing some or all of these tasks.

A *bucket policy* is a resource-based AWS Identity and Access Management (IAM) policy that specifies which actions a principal (user, account, service, or other entity) can perform on an S3 bucket, and the conditions under which a principal can perform those actions. The actions and conditions can apply to bucket-level operations, such as retrieving information about a bucket, and object-level operations, such as retrieving objects from a bucket.

Bucket policies typically grant or restrict access by using explicit `Allow` or `Deny` statements and conditions. For example, a bucket policy might contain an `Allow` or `Deny` statement that denies access to the bucket unless specific source IP addresses, Amazon Virtual Private Cloud (Amazon VPC) endpoints, or VPCs are used to access the bucket. For information about using bucket policies to grant or restrict access to buckets, see [Bucket policies for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) and [How Amazon S3 authorizes a request](https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-s3-evaluates-access-control.html) in the *Amazon Simple Storage Service User Guide*.

If a bucket policy uses an explicit `Allow` statement, the policy doesn’t prevent Macie from retrieving information about the bucket and the bucket’s objects, or retrieving objects from the bucket. This is because the `Allow` statements in the permissions policy for the Macie service-linked role grant these permissions.

However, if a bucket policy uses an explicit `Deny` statement with one or more conditions, Macie might not be allowed to retrieve information about the bucket or the bucket’s objects, or retrieve the bucket’s objects. For example, if a bucket policy explicitly denies access from all sources except a specific IP address, Macie won't be allowed to analyze the bucket’s objects when you run a sensitive data discovery job. This is because restrictive bucket policies take precedence over the `Allow` statements in the permissions policy for the Macie service-linked role.

To allow Macie to access an S3 bucket that has a restrictive bucket policy, you can add a condition for the Macie service-linked role (`AWSServiceRoleForAmazonMacie`) to the bucket policy. The condition can exclude the Macie service-linked role from matching the `Deny` restriction in the policy. It can do this by using the `aws:PrincipalArn` [global condition context key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) and the Amazon Resource Name (ARN) of the Macie service-linked role.

The following procedure guides you through this process and provides an example.

**To add the Macie service-linked role to a bucket policy**

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the navigation pane, choose **Buckets**.

1. Choose the S3 bucket that you want to allow Macie to access.

1. On the **Permissions** tab, under **Bucket policy**, choose **Edit**.

1. In the **Bucket policy** editor, identify each `Deny` statement that restricts access and prevents Macie from accessing the bucket or the bucket's objects.

1. In each `Deny` statement, add a condition that uses the `aws:PrincipalArn` global condition context key and specifies the ARN of the Macie service-linked role for your AWS account.

   The value for the condition key should be `arn:aws:iam::123456789012:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie`, where *123456789012* is the account ID for your AWS account.

Where you add this to a bucket policy depends on the structure, elements, and conditions that the policy currently contains. To learn about supported structures and elements, see [Policies and permissions in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html) in the *Amazon Simple Storage Service User Guide*.

The following is an example of a bucket policy that uses an explicit `Deny` statement to restrict access to an S3 bucket named `amzn-s3-demo-bucket`. With the current policy, the bucket can be accessed only from the VPC endpoint whose ID is `vpce-1a2b3c4d`. Access from all other VPC endpoints is denied, including access from the AWS Management Console and Macie.

------
#### [ JSON ]

****  

```
{
   "Version":"2012-10-17",		 	 	 
   "Id": "Policy1415115example",
   "Statement": [
      {
         "Sid": "Access only from specific VPCE",
         "Effect": "Deny",
         "Principal": "*",
         "Action": "s3:*",
         "Resource": [
            "arn:aws:s3:::amzn-s3-demo-bucket",
            "arn:aws:s3:::amzn-s3-demo-bucket/*"
         ],
         "Condition": {
            "StringNotEquals": {
               "aws:SourceVpce": "vpce-1a2b3c4d"
            }
         }
      }
   ]
}
```

------

To change this policy and allow Macie to access the S3 bucket and the bucket's objects, we can add a condition that uses the `StringNotLike` [condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) and the `aws:PrincipalArn` [global condition context key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). This additional condition excludes the Macie service-linked role from matching the `Deny` restriction.

------
#### [ JSON ]

****  

```
{
   "Version":"2012-10-17",		 	 	 
   "Id":" Policy1415115example ",
   "Statement": [
      {
         "Sid": "Access only from specific VPCE and Macie",
         "Effect": "Deny",
         "Principal": "*",
         "Action": "s3:*",
         "Resource": [
            "arn:aws:s3:::amzn-s3-demo-bucket",
            "arn:aws:s3:::amzn-s3-demo-bucket/*"
         ],
         "Condition": {
            "StringNotEquals": {
               "aws:SourceVpce": "vpce-1a2b3c4d"
            },
            "StringNotLike": {
               "aws:PrincipalArn": "arn:aws:iam::123456789012:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"
            }
         }
      }
   ]
}
```

------

In the preceding example, the `StringNotLike` condition operator uses the `aws:PrincipalArn` condition context key to specify the ARN of the Macie service-linked role, where:
+ `123456789012` is the account ID for the AWS account that's permitted to use Macie to retrieve information about the bucket and the bucket's objects, and retrieve objects from the bucket.
+ `macie.amazonaws.com` is the identifier for the Macie service principal.
+ `AWSServiceRoleForAmazonMacie` is the name of the Macie service-linked role.

We used the `StringNotLike` operator because the policy already uses a `StringNotEquals` operator. A policy can use the `StringNotEquals` operator only once.

For additional policy examples and detailed information about managing access to Amazon S3 resources, see [Access control](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-management.html) in the *Amazon Simple Storage Service User Guide*.