feat(client-macie2): This release adds support for configuring Macie …

…to assume an IAM role when retrieving sample occurrences of sensitive data reported by findings.
aws · Nov 16, 2023 · 473c3e9 · 473c3e9
1 parent a72102a
commit 473c3e9
Show file tree

Hide file tree

Showing 8 changed files with 334 additions and 69 deletions.
diff --git a/clients/client-macie2/src/commands/GetRevealConfigurationCommand.ts b/clients/client-macie2/src/commands/GetRevealConfigurationCommand.ts
@@ -52,6 +52,11 @@ export interface GetRevealConfigurationCommandOutput extends GetRevealConfigurat
  * //     kmsKeyId: "STRING_VALUE",
  * //     status: "ENABLED" || "DISABLED", // required
  * //   },
+ * //   retrievalConfiguration: { // RetrievalConfiguration
+ * //     externalId: "STRING_VALUE",
+ * //     retrievalMode: "CALLER_CREDENTIALS" || "ASSUME_ROLE", // required
+ * //     roleName: "STRING_VALUE",
+ * //   },
  * // };
  *
  * ```

diff --git a/clients/client-macie2/src/commands/GetSensitiveDataOccurrencesAvailabilityCommand.ts b/clients/client-macie2/src/commands/GetSensitiveDataOccurrencesAvailabilityCommand.ts
@@ -61,7 +61,7 @@ export interface GetSensitiveDataOccurrencesAvailabilityCommandOutput
  * // { // GetSensitiveDataOccurrencesAvailabilityResponse
  * //   code: "AVAILABLE" || "UNAVAILABLE",
  * //   reasons: [ // __listOfUnavailabilityReasonCode
- * //     "OBJECT_EXCEEDS_SIZE_QUOTA" || "UNSUPPORTED_OBJECT_TYPE" || "UNSUPPORTED_FINDING_TYPE" || "INVALID_CLASSIFICATION_RESULT" || "OBJECT_UNAVAILABLE",
+ * //     "OBJECT_EXCEEDS_SIZE_QUOTA" || "UNSUPPORTED_OBJECT_TYPE" || "UNSUPPORTED_FINDING_TYPE" || "INVALID_CLASSIFICATION_RESULT" || "OBJECT_UNAVAILABLE" || "ACCOUNT_NOT_IN_ORGANIZATION" || "MISSING_GET_MEMBER_PERMISSION" || "ROLE_TOO_PERMISSIVE" || "MEMBER_ROLE_TOO_PERMISSIVE" || "INVALID_RESULT_SIGNATURE" || "RESULT_NOT_SIGNED",
  * //   ],
  * // };
  *

diff --git a/clients/client-macie2/src/commands/ListFindingsFiltersCommand.ts b/clients/client-macie2/src/commands/ListFindingsFiltersCommand.ts
@@ -15,7 +15,7 @@ import {
 } from "@smithy/types";
 
 import { Macie2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../Macie2Client";
-import { ListFindingsFiltersRequest, ListFindingsFiltersResponse } from "../models/models_0";
+import { ListFindingsFiltersRequest, ListFindingsFiltersResponse } from "../models/models_1";
 import { de_ListFindingsFiltersCommand, se_ListFindingsFiltersCommand } from "../protocols/Aws_restJson1";
 
 /**

diff --git a/clients/client-macie2/src/commands/UpdateRevealConfigurationCommand.ts b/clients/client-macie2/src/commands/UpdateRevealConfigurationCommand.ts
@@ -49,6 +49,10 @@ export interface UpdateRevealConfigurationCommandOutput extends UpdateRevealConf
  *     kmsKeyId: "STRING_VALUE",
  *     status: "ENABLED" || "DISABLED", // required
  *   },
+ *   retrievalConfiguration: { // UpdateRetrievalConfiguration
+ *     retrievalMode: "CALLER_CREDENTIALS" || "ASSUME_ROLE", // required
+ *     roleName: "STRING_VALUE",
+ *   },
  * };
  * const command = new UpdateRevealConfigurationCommand(input);
  * const response = await client.send(command);
@@ -57,6 +61,11 @@ export interface UpdateRevealConfigurationCommandOutput extends UpdateRevealConf
  * //     kmsKeyId: "STRING_VALUE",
  * //     status: "ENABLED" || "DISABLED", // required
  * //   },
+ * //   retrievalConfiguration: { // RetrievalConfiguration
+ * //     externalId: "STRING_VALUE",
+ * //     retrievalMode: "CALLER_CREDENTIALS" || "ASSUME_ROLE", // required
+ * //     roleName: "STRING_VALUE",
+ * //   },
  * // };
  *
  * ```

diff --git a/clients/client-macie2/src/models/models_0.ts b/clients/client-macie2/src/models/models_0.ts
diff --git a/clients/client-macie2/src/models/models_1.ts b/clients/client-macie2/src/models/models_1.ts
@@ -9,6 +9,7 @@ import {
   FindingCriteria,
   FindingPublishingFrequency,
   FindingsFilterAction,
+  FindingsFilterListItem,
   Invitation,
   JobStatus,
   MacieStatus,
@@ -17,6 +18,8 @@ import {
   Member,
   OrderBy,
   ResourceProfileArtifact,
+  RetrievalConfiguration,
+  RetrievalMode,
   RevealConfiguration,
   SearchResourcesCriteria,
   SecurityHubConfiguration,
@@ -26,6 +29,40 @@ import {
   SuppressDataIdentifier,
 } from "./models_0";
 
+/**
+ * @public
+ */
+export interface ListFindingsFiltersRequest {
+  /**
+   * @public
+   * <p>The maximum number of items to include in each page of a paginated response.</p>
+   */
+  maxResults?: number;
+
+  /**
+   * @public
+   * <p>The nextToken string that specifies which page of results to return in a paginated response.</p>
+   */
+  nextToken?: string;
+}
+
+/**
+ * @public
+ */
+export interface ListFindingsFiltersResponse {
+  /**
+   * @public
+   * <p>An array of objects, one for each filter that's associated with the account.</p>
+   */
+  findingsFilterListItems?: FindingsFilterListItem[];
+
+  /**
+   * @public
+   * <p>The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.</p>
+   */
+  nextToken?: string;
+}
+
 /**
  * @public
  */
@@ -841,15 +878,39 @@ export interface UpdateResourceProfileDetectionsRequest {
  */
 export interface UpdateResourceProfileDetectionsResponse {}
 
+/**
+ * @public
+ * <p>Specifies the access method and settings to use when retrieving occurrences of sensitive data reported by findings. If your request specifies an Identity and Access Management (IAM) role to assume when retrieving the sensitive data, Amazon Macie verifies that the role exists and the attached policies are configured correctly. If there's an issue, Macie returns an error. For information about addressing the issue, see <a href="https://docs.aws.amazon.com/macie/latest/user/findings-retrieve-sd.html">Retrieving sensitive data samples with findings</a> in the <i>Amazon Macie User Guide</i>.</p>
+ */
+export interface UpdateRetrievalConfiguration {
+  /**
+   * @public
+   * <p>The access method to use when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie; and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data. If you specify ASSUME_ROLE, also specify the name of an existing IAM role for Macie to assume (roleName).</p> <important><p>If you change this value from ASSUME_ROLE to CALLER_CREDENTIALS for an existing configuration, Macie permanently deletes the external ID and role name currently specified for the configuration. These settings can't be recovered after they're deleted.</p></important>
+   */
+  retrievalMode: RetrievalMode | undefined;
+
+  /**
+   * @public
+   * <p>The name of the IAM role that is in the affected Amazon Web Services account and Amazon Macie is allowed to assume when retrieving sensitive data from affected S3 objects for the account. The trust and permissions policies for the role must meet all requirements for Macie to assume the role.</p>
+   */
+  roleName?: string;
+}
+
 /**
  * @public
  */
 export interface UpdateRevealConfigurationRequest {
   /**
    * @public
-   * <p>The new configuration settings and the status of the configuration for the account.</p>
+   * <p>The KMS key to use to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.</p>
    */
   configuration: RevealConfiguration | undefined;
+
+  /**
+   * @public
+   * <p>The access method and settings to use to retrieve the sensitive data.</p>
+   */
+  retrievalConfiguration?: UpdateRetrievalConfiguration;
 }
 
 /**
@@ -858,9 +919,15 @@ export interface UpdateRevealConfigurationRequest {
 export interface UpdateRevealConfigurationResponse {
   /**
    * @public
-   * <p>The new configuration settings and the status of the configuration for the account.</p>
+   * <p>The KMS key to use to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.</p>
    */
   configuration?: RevealConfiguration;
+
+  /**
+   * @public
+   * <p>The access method and settings to use to retrieve the sensitive data.</p>
+   */
+  retrievalConfiguration?: RetrievalConfiguration;
 }
 
 /**
@@ -887,7 +954,7 @@ export interface UpdateSensitivityInspectionTemplateRequest {
 
   /**
    * @public
-   * <p>The allow lists, custom data identifiers, and managed data identifiers to include (use) when analyzing data.</p>
+   * <p>The allow lists, custom data identifiers, and managed data identifiers to explicitly include (use) when analyzing data.</p>
    */
   includes?: SensitivityInspectionTemplateIncludes;
 }

diff --git a/clients/client-macie2/src/protocols/Aws_restJson1.ts b/clients/client-macie2/src/protocols/Aws_restJson1.ts
@@ -342,6 +342,7 @@ import {
   ResourceProfileArtifact,
   ResourcesAffected,
   ResourceStatistics,
+  RetrievalConfiguration,
   RevealConfiguration,
   S3Bucket,
   S3BucketCriteriaForJob,
@@ -401,6 +402,7 @@ import {
   SearchResourcesBucketCriteria,
   SearchResourcesCriteriaBlock,
   SearchResourcesSortCriteria,
+  UpdateRetrievalConfiguration,
 } from "../models/models_1";
 
 /**
@@ -2606,6 +2608,7 @@ export const se_UpdateRevealConfigurationCommand = async (
   body = JSON.stringify(
     take(input, {
       configuration: [, (_) => se_RevealConfiguration(_, context), `configuration`],
+      retrievalConfiguration: [, (_) => se_UpdateRetrievalConfiguration(_, context), `retrievalConfiguration`],
     })
   );
   return new __HttpRequest({
@@ -5358,6 +5361,7 @@ export const de_GetRevealConfigurationCommand = async (
   const data: Record<string, any> = __expectNonNull(__expectObject(await parseBody(output.body, context)), "body");
   const doc = take(data, {
     configuration: [, (_) => de_RevealConfiguration(_, context), `configuration`],
+    retrievalConfiguration: [, (_) => de_RetrievalConfiguration(_, context), `retrievalConfiguration`],
   });
   Object.assign(contents, doc);
   return contents;
@@ -7501,6 +7505,7 @@ export const de_UpdateRevealConfigurationCommand = async (
   const data: Record<string, any> = __expectNonNull(__expectObject(await parseBody(output.body, context)), "body");
   const doc = take(data, {
     configuration: [, (_) => de_RevealConfiguration(_, context), `configuration`],
+    retrievalConfiguration: [, (_) => de_RetrievalConfiguration(_, context), `retrievalConfiguration`],
   });
   Object.assign(contents, doc);
   return contents;
@@ -8385,6 +8390,16 @@ const se_TagValuePair = (input: TagValuePair, context: __SerdeContext): any => {
   });
 };
 
+/**
+ * serializeAws_restJson1UpdateRetrievalConfiguration
+ */
+const se_UpdateRetrievalConfiguration = (input: UpdateRetrievalConfiguration, context: __SerdeContext): any => {
+  return take(input, {
+    retrievalMode: [, , `retrievalMode`],
+    roleName: [, , `roleName`],
+  });
+};
+
 /**
  * serializeAws_restJson1UsageStatisticsFilter
  */
@@ -9808,6 +9823,17 @@ const de_ResourceStatistics = (output: any, context: __SerdeContext): ResourceSt
   }) as any;
 };
 
+/**
+ * deserializeAws_restJson1RetrievalConfiguration
+ */
+const de_RetrievalConfiguration = (output: any, context: __SerdeContext): RetrievalConfiguration => {
+  return take(output, {
+    externalId: [, __expectString, `externalId`],
+    retrievalMode: [, __expectString, `retrievalMode`],
+    roleName: [, __expectString, `roleName`],
+  }) as any;
+};
+
 /**
  * deserializeAws_restJson1RevealConfiguration
  */