From 473c3e9d078c21ed2fe314590785298c408498b6 Mon Sep 17 00:00:00 2001 From: awstools Date: Thu, 16 Nov 2023 19:22:02 +0000 Subject: [PATCH] feat(client-macie2): This release adds support for configuring Macie to assume an IAM role when retrieving sample occurrences of sensitive data reported by findings. --- .../commands/GetRevealConfigurationCommand.ts | 5 + ...itiveDataOccurrencesAvailabilityCommand.ts | 2 +- .../commands/ListFindingsFiltersCommand.ts | 2 +- .../UpdateRevealConfigurationCommand.ts | 9 + clients/client-macie2/src/models/models_0.ts | 110 ++++++----- clients/client-macie2/src/models/models_1.ts | 73 +++++++- .../src/protocols/Aws_restJson1.ts | 26 +++ codegen/sdk-codegen/aws-models/macie2.json | 176 ++++++++++++++++-- 8 files changed, 334 insertions(+), 69 deletions(-) diff --git a/clients/client-macie2/src/commands/GetRevealConfigurationCommand.ts b/clients/client-macie2/src/commands/GetRevealConfigurationCommand.ts index b848424f51e23..0988a15477dfd 100644 --- a/clients/client-macie2/src/commands/GetRevealConfigurationCommand.ts +++ b/clients/client-macie2/src/commands/GetRevealConfigurationCommand.ts @@ -52,6 +52,11 @@ export interface GetRevealConfigurationCommandOutput extends GetRevealConfigurat * // kmsKeyId: "STRING_VALUE", * // status: "ENABLED" || "DISABLED", // required * // }, + * // retrievalConfiguration: { // RetrievalConfiguration + * // externalId: "STRING_VALUE", + * // retrievalMode: "CALLER_CREDENTIALS" || "ASSUME_ROLE", // required + * // roleName: "STRING_VALUE", + * // }, * // }; * * ``` diff --git a/clients/client-macie2/src/commands/GetSensitiveDataOccurrencesAvailabilityCommand.ts b/clients/client-macie2/src/commands/GetSensitiveDataOccurrencesAvailabilityCommand.ts index 3dd1525347c9b..5154bc143c5ec 100644 --- a/clients/client-macie2/src/commands/GetSensitiveDataOccurrencesAvailabilityCommand.ts +++ b/clients/client-macie2/src/commands/GetSensitiveDataOccurrencesAvailabilityCommand.ts @@ -61,7 +61,7 @@ export interface GetSensitiveDataOccurrencesAvailabilityCommandOutput * // { // GetSensitiveDataOccurrencesAvailabilityResponse * // code: "AVAILABLE" || "UNAVAILABLE", * // reasons: [ // __listOfUnavailabilityReasonCode - * // "OBJECT_EXCEEDS_SIZE_QUOTA" || "UNSUPPORTED_OBJECT_TYPE" || "UNSUPPORTED_FINDING_TYPE" || "INVALID_CLASSIFICATION_RESULT" || "OBJECT_UNAVAILABLE", + * // "OBJECT_EXCEEDS_SIZE_QUOTA" || "UNSUPPORTED_OBJECT_TYPE" || "UNSUPPORTED_FINDING_TYPE" || "INVALID_CLASSIFICATION_RESULT" || "OBJECT_UNAVAILABLE" || "ACCOUNT_NOT_IN_ORGANIZATION" || "MISSING_GET_MEMBER_PERMISSION" || "ROLE_TOO_PERMISSIVE" || "MEMBER_ROLE_TOO_PERMISSIVE" || "INVALID_RESULT_SIGNATURE" || "RESULT_NOT_SIGNED", * // ], * // }; * diff --git a/clients/client-macie2/src/commands/ListFindingsFiltersCommand.ts b/clients/client-macie2/src/commands/ListFindingsFiltersCommand.ts index 280f9c9674ac5..eb9e290c78629 100644 --- a/clients/client-macie2/src/commands/ListFindingsFiltersCommand.ts +++ b/clients/client-macie2/src/commands/ListFindingsFiltersCommand.ts @@ -15,7 +15,7 @@ import { } from "@smithy/types"; import { Macie2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../Macie2Client"; -import { ListFindingsFiltersRequest, ListFindingsFiltersResponse } from "../models/models_0"; +import { ListFindingsFiltersRequest, ListFindingsFiltersResponse } from "../models/models_1"; import { de_ListFindingsFiltersCommand, se_ListFindingsFiltersCommand } from "../protocols/Aws_restJson1"; /** diff --git a/clients/client-macie2/src/commands/UpdateRevealConfigurationCommand.ts b/clients/client-macie2/src/commands/UpdateRevealConfigurationCommand.ts index f7e9f45834f36..3e249d0476c21 100644 --- a/clients/client-macie2/src/commands/UpdateRevealConfigurationCommand.ts +++ b/clients/client-macie2/src/commands/UpdateRevealConfigurationCommand.ts @@ -49,6 +49,10 @@ export interface UpdateRevealConfigurationCommandOutput extends UpdateRevealConf * kmsKeyId: "STRING_VALUE", * status: "ENABLED" || "DISABLED", // required * }, + * retrievalConfiguration: { // UpdateRetrievalConfiguration + * retrievalMode: "CALLER_CREDENTIALS" || "ASSUME_ROLE", // required + * roleName: "STRING_VALUE", + * }, * }; * const command = new UpdateRevealConfigurationCommand(input); * const response = await client.send(command); @@ -57,6 +61,11 @@ export interface UpdateRevealConfigurationCommandOutput extends UpdateRevealConf * // kmsKeyId: "STRING_VALUE", * // status: "ENABLED" || "DISABLED", // required * // }, + * // retrievalConfiguration: { // RetrievalConfiguration + * // externalId: "STRING_VALUE", + * // retrievalMode: "CALLER_CREDENTIALS" || "ASSUME_ROLE", // required + * // roleName: "STRING_VALUE", + * // }, * // }; * * ``` diff --git a/clients/client-macie2/src/models/models_0.ts b/clients/client-macie2/src/models/models_0.ts index f4fc8bacb524b..6c6882027c19a 100644 --- a/clients/client-macie2/src/models/models_0.ts +++ b/clients/client-macie2/src/models/models_0.ts @@ -849,7 +849,7 @@ export interface CustomDataIdentifierSummary { export interface DetectedDataDetails { /** * @public - *

An occurrence of the specified type of sensitive data. Each occurrence can contain 1-128 characters.

+ *

An occurrence of the specified type of sensitive data. Each occurrence contains 1-128 characters.

*/ value: string | undefined; } @@ -1023,7 +1023,7 @@ export interface Page { export interface _Record { /** * @public - *

The path, as a JSONPath expression, to the sensitive data. For an Avro object container or Parquet file, this is the path to the field in the record (recordIndex) that contains the data. For a JSON or JSON Lines file, this is the path to the field or array that contains the data. If the data is a value in an array, the path also indicates which value contains the data.

If Amazon Macie detects sensitive data in the name of any element in the path, Macie omits this field. If the name of an element exceeds 20 characters, Macie truncates the name by removing characters from the beginning of the name. If the resulting full path exceeds 250 characters, Macie also truncates the path, starting with the first element in the path, until the path contains 250 or fewer characters.

+ *

The path, as a JSONPath expression, to the sensitive data. For an Avro object container or Parquet file, this is the path to the field in the record (recordIndex) that contains the data. For a JSON or JSON Lines file, this is the path to the field or array that contains the data. If the data is a value in an array, the path also indicates which value contains the data.

If Amazon Macie detects sensitive data in the name of any element in the path, Macie omits this field. If the name of an element exceeds 240 characters, Macie truncates the name by removing characters from the beginning of the name. If the resulting full path exceeds 250 characters, Macie also truncates the path, starting with the first element in the path, until the path contains 250 or fewer characters.

*/ jsonPath?: string; @@ -2337,7 +2337,7 @@ export type ScopeFilterKey = (typeof ScopeFilterKey)[keyof typeof ScopeFilterKey export interface SimpleScopeTerm { /** * @public - *

The operator to use in the condition. Valid values for each supported property (key) are:

+ *

The operator to use in the condition. Valid values for each supported property (key) are:

*/ comparator?: JobComparator; @@ -2349,7 +2349,7 @@ export interface SimpleScopeTerm { /** * @public - *

An array that lists the values to use in the condition. If the value for the key property is OBJECT_EXTENSION or OBJECT_KEY, this array can specify multiple values and Amazon Macie uses OR logic to join the values. Otherwise, this array can specify only one value.

Valid values for each supported property (key) are:

Macie doesn't support use of wildcard characters in these values. Also, string values are case sensitive.

+ *

An array that lists the values to use in the condition. If the value for the key property is OBJECT_EXTENSION or OBJECT_KEY, this array can specify multiple values and Amazon Macie uses OR logic to join the values. Otherwise, this array can specify only one value.

Valid values for each supported property (key) are:

Macie doesn't support use of wildcard characters in these values. Also, string values are case sensitive.

*/ values?: string[]; } @@ -3023,9 +3023,15 @@ export interface SuppressDataIdentifier { * @enum */ export const UnavailabilityReasonCode = { + ACCOUNT_NOT_IN_ORGANIZATION: "ACCOUNT_NOT_IN_ORGANIZATION", INVALID_CLASSIFICATION_RESULT: "INVALID_CLASSIFICATION_RESULT", + INVALID_RESULT_SIGNATURE: "INVALID_RESULT_SIGNATURE", + MEMBER_ROLE_TOO_PERMISSIVE: "MEMBER_ROLE_TOO_PERMISSIVE", + MISSING_GET_MEMBER_PERMISSION: "MISSING_GET_MEMBER_PERMISSION", OBJECT_EXCEEDS_SIZE_QUOTA: "OBJECT_EXCEEDS_SIZE_QUOTA", OBJECT_UNAVAILABLE: "OBJECT_UNAVAILABLE", + RESULT_NOT_SIGNED: "RESULT_NOT_SIGNED", + ROLE_TOO_PERMISSIVE: "ROLE_TOO_PERMISSIVE", UNSUPPORTED_FINDING_TYPE: "UNSUPPORTED_FINDING_TYPE", UNSUPPORTED_OBJECT_TYPE: "UNSUPPORTED_OBJECT_TYPE", } as const; @@ -3872,7 +3878,7 @@ export interface S3Destination { /** * @public - *

The Amazon Resource Name (ARN) of the customer managed KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric encryption KMS key that's in the same Amazon Web Services Region as the bucket.

+ *

The Amazon Resource Name (ARN) of the customer managed KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric encryption KMS key that's enabled in the same Amazon Web Services Region as the bucket.

*/ kmsKeyArn: string | undefined; } @@ -4150,7 +4156,7 @@ export interface CreateClassificationJobRequest { /** * @public - *

The selection type to apply when determining which managed data identifiers the job uses to analyze data. Valid values are:

If you don't specify a value for this property, the job uses the recommended set of managed data identifiers.

If the job is a recurring job and you specify ALL or EXCLUDE, each job run automatically uses new managed data identifiers that are released. If you specify RECOMMENDED for a recurring job, each job run automatically uses all the managed data identifiers that are in the recommended set when the run starts.

For information about individual managed data identifiers or to determine which ones are in the recommended set, see Using managed data identifiers and Recommended managed data identifiers in the Amazon Macie User Guide.

+ *

The selection type to apply when determining which managed data identifiers the job uses to analyze data. Valid values are:

If you don't specify a value for this property, the job uses the recommended set of managed data identifiers.

If the job is a recurring job and you specify ALL or EXCLUDE, each job run automatically uses new managed data identifiers that are released. If you don't specify a value for this property or you specify RECOMMENDED for a recurring job, each job run automatically uses all the managed data identifiers that are in the recommended set when the run starts.

For information about individual managed data identifiers or to determine which ones are in the recommended set, see Using managed data identifiers and Recommended managed data identifiers in the Amazon Macie User Guide.

*/ managedDataIdentifierSelector?: ManagedDataIdentifierSelector; @@ -5668,7 +5674,7 @@ export interface GetMacieSessionResponse { /** * @public - *

The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the Amazon Macie account.

+ *

The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status or configuration settings for the Amazon Macie account.

*/ updatedAt?: Date; } @@ -5807,7 +5813,7 @@ export interface ResourceStatistics { /** * @public - *

The total number of objects that Amazon Macie wasn't able to analyze in the bucket due to an object-level issue or error. For example, the object is a malformed file. This value includes objects that Macie wasn't able to analyze for reasons reported by other statistics in the ResourceStatistics object.

+ *

The total number of objects that Amazon Macie wasn't able to analyze in the bucket due to an object-level issue or error. For example, an object is a malformed file. This value includes objects that Macie wasn't able to analyze for reasons reported by other statistics in the ResourceStatistics object.

*/ totalItemsSkipped?: number; @@ -5880,12 +5886,12 @@ export type RevealStatus = (typeof RevealStatus)[keyof typeof RevealStatus]; /** * @public - *

Specifies the configuration settings for retrieving occurrences of sensitive data reported by findings, and the status of the configuration for an Amazon Macie account. When you enable the configuration for the first time, your request must specify an Key Management Service (KMS) key. Otherwise, an error occurs. Macie uses the specified key to encrypt the sensitive data that you retrieve.

+ *

Specifies the status of the Amazon Macie configuration for retrieving occurrences of sensitive data reported by findings, and the Key Management Service (KMS) key to use to encrypt sensitive data that's retrieved. When you enable the configuration for the first time, your request must specify an KMS key. Otherwise, an error occurs.

*/ export interface RevealConfiguration { /** * @public - *

The Amazon Resource Name (ARN), ID, or alias of the KMS key to use to encrypt sensitive data that's retrieved. The key must be an existing, customer managed, symmetric encryption key that's in the same Amazon Web Services Region as the Amazon Macie account.

If this value specifies an alias, it must include the following prefix: alias/. If this value specifies a key that's owned by another Amazon Web Services account, it must specify the ARN of the key or the ARN of the key's alias.

+ *

The Amazon Resource Name (ARN), ID, or alias of the KMS key to use to encrypt sensitive data that's retrieved. The key must be an existing, customer managed, symmetric encryption key that's enabled in the same Amazon Web Services Region as the Amazon Macie account.

If this value specifies an alias, it must include the following prefix: alias/. If this value specifies a key that's owned by another Amazon Web Services account, it must specify the ARN of the key or the ARN of the key's alias.

*/ kmsKeyId?: string; @@ -5896,15 +5902,59 @@ export interface RevealConfiguration { status: RevealStatus | undefined; } +/** + * @public + * @enum + */ +export const RetrievalMode = { + ASSUME_ROLE: "ASSUME_ROLE", + CALLER_CREDENTIALS: "CALLER_CREDENTIALS", +} as const; + +/** + * @public + */ +export type RetrievalMode = (typeof RetrievalMode)[keyof typeof RetrievalMode]; + +/** + * @public + *

Provides information about the access method and settings that are used to retrieve occurrences of sensitive data reported by findings.

+ */ +export interface RetrievalConfiguration { + /** + * @public + *

The external ID to specify in the trust policy for the IAM role to assume when retrieving sensitive data from affected S3 objects (roleName). The trust policy must include an sts:ExternalId condition that requires this ID.

This ID is a unique alphanumeric string that Amazon Macie generates automatically after you configure it to assume a role. This value is null if the value for retrievalMode is CALLER_CREDENTIALS.

+ */ + externalId?: string; + + /** + * @public + *

The access method that's used when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie (roleName); and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data.

+ */ + retrievalMode: RetrievalMode | undefined; + + /** + * @public + *

The name of the IAM role that is in the affected Amazon Web Services account and Amazon Macie is allowed to assume when retrieving sensitive data from affected S3 objects for the account. This value is null if the value for retrievalMode is CALLER_CREDENTIALS.

+ */ + roleName?: string; +} + /** * @public */ export interface GetRevealConfigurationResponse { /** * @public - *

The current configuration settings and the status of the configuration for the account.

+ *

The KMS key that's used to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.

*/ configuration?: RevealConfiguration; + + /** + * @public + *

The access method and settings that are used to retrieve the sensitive data.

+ */ + retrievalConfiguration?: RetrievalConfiguration; } /** @@ -5999,7 +6049,7 @@ export interface GetSensitiveDataOccurrencesAvailabilityResponse { /** * @public - *

Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:

This value is null if sensitive data can be retrieved for the finding.

+ *

Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:

This value is null if sensitive data can be retrieved for the finding.

*/ reasons?: UnavailabilityReasonCode[]; } @@ -6069,7 +6119,7 @@ export interface GetSensitivityInspectionTemplateResponse { /** * @public - *

The allow lists, custom data identifiers, and managed data identifiers that are included (used) when analyzing data.

+ *

The allow lists, custom data identifiers, and managed data identifiers that are explicitly included (used) when analyzing data.

*/ includes?: SensitivityInspectionTemplateIncludes; @@ -6465,37 +6515,3 @@ export interface ListFindingsResponse { */ nextToken?: string; } - -/** - * @public - */ -export interface ListFindingsFiltersRequest { - /** - * @public - *

The maximum number of items to include in each page of a paginated response.

- */ - maxResults?: number; - - /** - * @public - *

The nextToken string that specifies which page of results to return in a paginated response.

- */ - nextToken?: string; -} - -/** - * @public - */ -export interface ListFindingsFiltersResponse { - /** - * @public - *

An array of objects, one for each filter that's associated with the account.

- */ - findingsFilterListItems?: FindingsFilterListItem[]; - - /** - * @public - *

The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

- */ - nextToken?: string; -} diff --git a/clients/client-macie2/src/models/models_1.ts b/clients/client-macie2/src/models/models_1.ts index dfe1a3e80aa62..ee52b8bb4af3b 100644 --- a/clients/client-macie2/src/models/models_1.ts +++ b/clients/client-macie2/src/models/models_1.ts @@ -9,6 +9,7 @@ import { FindingCriteria, FindingPublishingFrequency, FindingsFilterAction, + FindingsFilterListItem, Invitation, JobStatus, MacieStatus, @@ -17,6 +18,8 @@ import { Member, OrderBy, ResourceProfileArtifact, + RetrievalConfiguration, + RetrievalMode, RevealConfiguration, SearchResourcesCriteria, SecurityHubConfiguration, @@ -26,6 +29,40 @@ import { SuppressDataIdentifier, } from "./models_0"; +/** + * @public + */ +export interface ListFindingsFiltersRequest { + /** + * @public + *

The maximum number of items to include in each page of a paginated response.

+ */ + maxResults?: number; + + /** + * @public + *

The nextToken string that specifies which page of results to return in a paginated response.

+ */ + nextToken?: string; +} + +/** + * @public + */ +export interface ListFindingsFiltersResponse { + /** + * @public + *

An array of objects, one for each filter that's associated with the account.

+ */ + findingsFilterListItems?: FindingsFilterListItem[]; + + /** + * @public + *

The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

+ */ + nextToken?: string; +} + /** * @public */ @@ -841,15 +878,39 @@ export interface UpdateResourceProfileDetectionsRequest { */ export interface UpdateResourceProfileDetectionsResponse {} +/** + * @public + *

Specifies the access method and settings to use when retrieving occurrences of sensitive data reported by findings. If your request specifies an Identity and Access Management (IAM) role to assume when retrieving the sensitive data, Amazon Macie verifies that the role exists and the attached policies are configured correctly. If there's an issue, Macie returns an error. For information about addressing the issue, see Retrieving sensitive data samples with findings in the Amazon Macie User Guide.

+ */ +export interface UpdateRetrievalConfiguration { + /** + * @public + *

The access method to use when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie; and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data. If you specify ASSUME_ROLE, also specify the name of an existing IAM role for Macie to assume (roleName).

If you change this value from ASSUME_ROLE to CALLER_CREDENTIALS for an existing configuration, Macie permanently deletes the external ID and role name currently specified for the configuration. These settings can't be recovered after they're deleted.

 + */ + retrievalMode: RetrievalMode | undefined; + + /** + * @public + *

The name of the IAM role that is in the affected Amazon Web Services account and Amazon Macie is allowed to assume when retrieving sensitive data from affected S3 objects for the account. The trust and permissions policies for the role must meet all requirements for Macie to assume the role.

+ */ + roleName?: string; +} + /** * @public */ export interface UpdateRevealConfigurationRequest { /** * @public - *

The new configuration settings and the status of the configuration for the account.

+ *

The KMS key to use to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.

*/ configuration: RevealConfiguration | undefined; + + /** + * @public + *

The access method and settings to use to retrieve the sensitive data.

+ */ + retrievalConfiguration?: UpdateRetrievalConfiguration; } /** @@ -858,9 +919,15 @@ export interface UpdateRevealConfigurationRequest { export interface UpdateRevealConfigurationResponse { /** * @public - *

The new configuration settings and the status of the configuration for the account.

+ *

The KMS key to use to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.

*/ configuration?: RevealConfiguration; + + /** + * @public + *

The access method and settings to use to retrieve the sensitive data.

+ */ + retrievalConfiguration?: RetrievalConfiguration; } /** @@ -887,7 +954,7 @@ export interface UpdateSensitivityInspectionTemplateRequest { /** * @public - *

The allow lists, custom data identifiers, and managed data identifiers to include (use) when analyzing data.

+ *

The allow lists, custom data identifiers, and managed data identifiers to explicitly include (use) when analyzing data.

*/ includes?: SensitivityInspectionTemplateIncludes; } diff --git a/clients/client-macie2/src/protocols/Aws_restJson1.ts b/clients/client-macie2/src/protocols/Aws_restJson1.ts index d45cd66c17393..98a3349bbdb24 100644 --- a/clients/client-macie2/src/protocols/Aws_restJson1.ts +++ b/clients/client-macie2/src/protocols/Aws_restJson1.ts @@ -342,6 +342,7 @@ import { ResourceProfileArtifact, ResourcesAffected, ResourceStatistics, + RetrievalConfiguration, RevealConfiguration, S3Bucket, S3BucketCriteriaForJob, @@ -401,6 +402,7 @@ import { SearchResourcesBucketCriteria, SearchResourcesCriteriaBlock, SearchResourcesSortCriteria, + UpdateRetrievalConfiguration, } from "../models/models_1"; /** @@ -2606,6 +2608,7 @@ export const se_UpdateRevealConfigurationCommand = async ( body = JSON.stringify( take(input, { configuration: [, (_) => se_RevealConfiguration(_, context), `configuration`], + retrievalConfiguration: [, (_) => se_UpdateRetrievalConfiguration(_, context), `retrievalConfiguration`], }) ); return new __HttpRequest({ @@ -5358,6 +5361,7 @@ export const de_GetRevealConfigurationCommand = async ( const data: Record = __expectNonNull(__expectObject(await parseBody(output.body, context)), "body"); const doc = take(data, { configuration: [, (_) => de_RevealConfiguration(_, context), `configuration`], + retrievalConfiguration: [, (_) => de_RetrievalConfiguration(_, context), `retrievalConfiguration`], }); Object.assign(contents, doc); return contents; @@ -7501,6 +7505,7 @@ export const de_UpdateRevealConfigurationCommand = async ( const data: Record = __expectNonNull(__expectObject(await parseBody(output.body, context)), "body"); const doc = take(data, { configuration: [, (_) => de_RevealConfiguration(_, context), `configuration`], + retrievalConfiguration: [, (_) => de_RetrievalConfiguration(_, context), `retrievalConfiguration`], }); Object.assign(contents, doc); return contents; @@ -8385,6 +8390,16 @@ const se_TagValuePair = (input: TagValuePair, context: __SerdeContext): any => { }); }; +/** + * serializeAws_restJson1UpdateRetrievalConfiguration + */ +const se_UpdateRetrievalConfiguration = (input: UpdateRetrievalConfiguration, context: __SerdeContext): any => { + return take(input, { + retrievalMode: [, , `retrievalMode`], + roleName: [, , `roleName`], + }); +}; + /** * serializeAws_restJson1UsageStatisticsFilter */ @@ -9808,6 +9823,17 @@ const de_ResourceStatistics = (output: any, context: __SerdeContext): ResourceSt }) as any; }; +/** + * deserializeAws_restJson1RetrievalConfiguration + */ +const de_RetrievalConfiguration = (output: any, context: __SerdeContext): RetrievalConfiguration => { + return take(output, { + externalId: [, __expectString, `externalId`], + retrievalMode: [, __expectString, `retrievalMode`], + roleName: [, __expectString, `roleName`], + }) as any; +}; + /** * deserializeAws_restJson1RevealConfiguration */ diff --git a/codegen/sdk-codegen/aws-models/macie2.json b/codegen/sdk-codegen/aws-models/macie2.json index 740004745e987..e2419260dc0ab 100644 --- a/codegen/sdk-codegen/aws-models/macie2.json +++ b/codegen/sdk-codegen/aws-models/macie2.json @@ -1774,7 +1774,7 @@ "managedDataIdentifierSelector": { "target": "com.amazonaws.macie2#ManagedDataIdentifierSelector", "traits": { - "smithy.api#documentation": "

The selection type to apply when determining which managed data identifiers the job uses to analyze data. Valid values are:

  • ALL - Use all managed data identifiers. If you specify this value, don't specify any values for the managedDataIdentifierIds property.

  • EXCLUDE - Use all managed data identifiers except the ones specified by the managedDataIdentifierIds property.

  • INCLUDE - Use only the managed data identifiers specified by the managedDataIdentifierIds property.

  • NONE - Don't use any managed data identifiers. If you specify this value, specify at least one value for the customDataIdentifierIds property and don't specify any values for the managedDataIdentifierIds property.

  • RECOMMENDED (default) - Use the recommended set of managed data identifiers. If you specify this value, don't specify any values for the managedDataIdentifierIds property.

If you don't specify a value for this property, the job uses the recommended set of managed data identifiers.

If the job is a recurring job and you specify ALL or EXCLUDE, each job run automatically uses new managed data identifiers that are released. If you specify RECOMMENDED for a recurring job, each job run automatically uses all the managed data identifiers that are in the recommended set when the run starts.

For information about individual managed data identifiers or to determine which ones are in the recommended set, see Using managed data identifiers and Recommended managed data identifiers in the Amazon Macie User Guide.

", + "smithy.api#documentation": "

The selection type to apply when determining which managed data identifiers the job uses to analyze data. Valid values are:

  • ALL - Use all managed data identifiers. If you specify this value, don't specify any values for the managedDataIdentifierIds property.

  • EXCLUDE - Use all managed data identifiers except the ones specified by the managedDataIdentifierIds property.

  • INCLUDE - Use only the managed data identifiers specified by the managedDataIdentifierIds property.

  • NONE - Don't use any managed data identifiers. If you specify this value, specify at least one value for the customDataIdentifierIds property and don't specify any values for the managedDataIdentifierIds property.

  • RECOMMENDED (default) - Use the recommended set of managed data identifiers. If you specify this value, don't specify any values for the managedDataIdentifierIds property.

If you don't specify a value for this property, the job uses the recommended set of managed data identifiers.

If the job is a recurring job and you specify ALL or EXCLUDE, each job run automatically uses new managed data identifiers that are released. If you don't specify a value for this property or you specify RECOMMENDED for a recurring job, each job run automatically uses all the managed data identifiers that are in the recommended set when the run starts.

For information about individual managed data identifiers or to determine which ones are in the recommended set, see Using managed data identifiers and Recommended managed data identifiers in the Amazon Macie User Guide.

", "smithy.api#jsonName": "managedDataIdentifierSelector" } }, @@ -3485,7 +3485,7 @@ "target": "com.amazonaws.macie2#__stringMin1Max128", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "

An occurrence of the specified type of sensitive data. Each occurrence can contain 1-128 characters.

", + "smithy.api#documentation": "

An occurrence of the specified type of sensitive data. Each occurrence contains 1-128 characters.

", "smithy.api#jsonName": "value", "smithy.api#required": {} } @@ -5773,7 +5773,7 @@ "updatedAt": { "target": "com.amazonaws.macie2#__timestampIso8601", "traits": { - "smithy.api#documentation": "

The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the Amazon Macie account.

", + "smithy.api#documentation": "

The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status or configuration settings for the Amazon Macie account.

", "smithy.api#jsonName": "updatedAt" } } @@ -6105,9 +6105,16 @@ "configuration": { "target": "com.amazonaws.macie2#RevealConfiguration", "traits": { - "smithy.api#documentation": "

The current configuration settings and the status of the configuration for the account.

", + "smithy.api#documentation": "

The KMS key that's used to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.

", "smithy.api#jsonName": "configuration" } + }, + "retrievalConfiguration": { + "target": "com.amazonaws.macie2#RetrievalConfiguration", + "traits": { + "smithy.api#documentation": "

The access method and settings that are used to retrieve the sensitive data.

", + "smithy.api#jsonName": "retrievalConfiguration" + } } }, "traits": { @@ -6238,7 +6245,7 @@ "reasons": { "target": "com.amazonaws.macie2#__listOfUnavailabilityReasonCode", "traits": { - "smithy.api#documentation": "

Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:

  • INVALID_CLASSIFICATION_RESULT - Amazon Macie can't verify the location of the sensitive data to retrieve. There isn't a corresponding sensitive data discovery result for the finding. Or the sensitive data discovery result specified by the classificationDetails.detailedResultsLocation field of the finding isn't available, is malformed or corrupted, or uses an unsupported storage format.

  • OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data.

  • OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object might have been renamed, moved, or deleted. Or the object was changed after Macie created the finding.

  • UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.

  • UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.

This value is null if sensitive data can be retrieved for the finding.

", + "smithy.api#documentation": "

Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:

  • ACCOUNT_NOT_IN_ORGANIZATION - The affected account isn't currently part of your organization. Or the account is part of your organization but Macie isn't currently enabled for the account. You're not allowed to access the affected S3 object by using Macie.

  • INVALID_CLASSIFICATION_RESULT - There isn't a corresponding sensitive data discovery result for the finding. Or the corresponding sensitive data discovery result isn't available, is malformed or corrupted, or uses an unsupported storage format. Macie can't verify the location of the sensitive data to retrieve.

  • INVALID_RESULT_SIGNATURE - The corresponding sensitive data discovery result is stored in an S3 object that wasn't signed by Macie. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.

  • MEMBER_ROLE_TOO_PERMISSIVE - The affected member account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Or the role's trust policy doesn't specify the correct external ID. Macie can't assume the role to retrieve the sensitive data.

  • MISSING_GET_MEMBER_PERMISSION - You're not allowed to retrieve information about the association between your account and the affected account. Macie can't determine whether you’re allowed to access the affected S3 object as the delegated Macie administrator for the affected account.

  • OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data from this type of file.

  • OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object was renamed, moved, or deleted. Or the object was changed after Macie created the finding.

  • RESULT_NOT_SIGNED - The corresponding sensitive data discovery result is stored in an S3 object that hasn't been signed. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.

  • ROLE_TOO_PERMISSIVE - Your account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Macie can’t assume the role to retrieve the sensitive data.

  • UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.

  • UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.

This value is null if sensitive data can be retrieved for the finding.

", "smithy.api#jsonName": "reasons" } } @@ -6362,7 +6369,7 @@ "includes": { "target": "com.amazonaws.macie2#SensitivityInspectionTemplateIncludes", "traits": { - "smithy.api#documentation": "

The allow lists, custom data identifiers, and managed data identifiers that are included (used) when analyzing data.

", + "smithy.api#documentation": "

The allow lists, custom data identifiers, and managed data identifiers that are explicitly included (used) when analyzing data.

", "smithy.api#jsonName": "includes" } }, @@ -10491,7 +10498,7 @@ "jsonPath": { "target": "com.amazonaws.macie2#__string", "traits": { - "smithy.api#documentation": "

The path, as a JSONPath expression, to the sensitive data. For an Avro object container or Parquet file, this is the path to the field in the record (recordIndex) that contains the data. For a JSON or JSON Lines file, this is the path to the field or array that contains the data. If the data is a value in an array, the path also indicates which value contains the data.

If Amazon Macie detects sensitive data in the name of any element in the path, Macie omits this field. If the name of an element exceeds 20 characters, Macie truncates the name by removing characters from the beginning of the name. If the resulting full path exceeds 250 characters, Macie also truncates the path, starting with the first element in the path, until the path contains 250 or fewer characters.

", + "smithy.api#documentation": "

The path, as a JSONPath expression, to the sensitive data. For an Avro object container or Parquet file, this is the path to the field in the record (recordIndex) that contains the data. For a JSON or JSON Lines file, this is the path to the field or array that contains the data. If the data is a value in an array, the path also indicates which value contains the data.

If Amazon Macie detects sensitive data in the name of any element in the path, Macie omits this field. If the name of an element exceeds 240 characters, Macie truncates the name by removing characters from the beginning of the name. If the resulting full path exceeds 250 characters, Macie also truncates the path, starting with the first element in the path, until the path contains 250 or fewer characters.

", "smithy.api#jsonName": "jsonPath" } }, @@ -10704,7 +10711,7 @@ "totalItemsSkipped": { "target": "com.amazonaws.macie2#__long", "traits": { - "smithy.api#documentation": "

The total number of objects that Amazon Macie wasn't able to analyze in the bucket due to an object-level issue or error. For example, the object is a malformed file. This value includes objects that Macie wasn't able to analyze for reasons reported by other statistics in the ResourceStatistics object.

", + "smithy.api#documentation": "

The total number of objects that Amazon Macie wasn't able to analyze in the bucket due to an object-level issue or error. For example, an object is a malformed file. This value includes objects that Macie wasn't able to analyze for reasons reported by other statistics in the ResourceStatistics object.

", "smithy.api#jsonName": "totalItemsSkipped" } }, @@ -10756,13 +10763,64 @@ "smithy.api#documentation": "

Provides information about the resources that a finding applies to.

" } }, + "com.amazonaws.macie2#RetrievalConfiguration": { + "type": "structure", + "members": { + "externalId": { + "target": "com.amazonaws.macie2#__string", + "traits": { + "smithy.api#documentation": "

The external ID to specify in the trust policy for the IAM role to assume when retrieving sensitive data from affected S3 objects (roleName). The trust policy must include an sts:ExternalId condition that requires this ID.

This ID is a unique alphanumeric string that Amazon Macie generates automatically after you configure it to assume a role. This value is null if the value for retrievalMode is CALLER_CREDENTIALS.

", + "smithy.api#jsonName": "externalId" + } + }, + "retrievalMode": { + "target": "com.amazonaws.macie2#RetrievalMode", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#documentation": "

The access method that's used when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie (roleName); and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data.

", + "smithy.api#jsonName": "retrievalMode", + "smithy.api#required": {} + } + }, + "roleName": { + "target": "com.amazonaws.macie2#__stringMin1Max64PatternW", + "traits": { + "smithy.api#documentation": "

The name of the IAM role that is in the affected Amazon Web Services account and Amazon Macie is allowed to assume when retrieving sensitive data from affected S3 objects for the account. This value is null if the value for retrievalMode is CALLER_CREDENTIALS.

", + "smithy.api#jsonName": "roleName" + } + } + }, + "traits": { + "smithy.api#documentation": "

Provides information about the access method and settings that are used to retrieve occurrences of sensitive data reported by findings.

" + } + }, + "com.amazonaws.macie2#RetrievalMode": { + "type": "enum", + "members": { + "CALLER_CREDENTIALS": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "CALLER_CREDENTIALS" + } + }, + "ASSUME_ROLE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "ASSUME_ROLE" + } + } + }, + "traits": { + "smithy.api#documentation": "

The access method to use when retrieving occurrences of sensitive data reported by findings. Valid values are:

" + } + }, "com.amazonaws.macie2#RevealConfiguration": { "type": "structure", "members": { "kmsKeyId": { "target": "com.amazonaws.macie2#__stringMin1Max2048", "traits": { - "smithy.api#documentation": "

The Amazon Resource Name (ARN), ID, or alias of the KMS key to use to encrypt sensitive data that's retrieved. The key must be an existing, customer managed, symmetric encryption key that's in the same Amazon Web Services Region as the Amazon Macie account.

If this value specifies an alias, it must include the following prefix: alias/. If this value specifies a key that's owned by another Amazon Web Services account, it must specify the ARN of the key or the ARN of the key's alias.

", + "smithy.api#documentation": "

The Amazon Resource Name (ARN), ID, or alias of the KMS key to use to encrypt sensitive data that's retrieved. The key must be an existing, customer managed, symmetric encryption key that's enabled in the same Amazon Web Services Region as the Amazon Macie account.

If this value specifies an alias, it must include the following prefix: alias/. If this value specifies a key that's owned by another Amazon Web Services account, it must specify the ARN of the key or the ARN of the key's alias.

", "smithy.api#jsonName": "kmsKeyId" } }, @@ -10777,7 +10835,7 @@ } }, "traits": { - "smithy.api#documentation": "

Specifies the configuration settings for retrieving occurrences of sensitive data reported by findings, and the status of the configuration for an Amazon Macie account. When you enable the configuration for the first time, your request must specify an Key Management Service (KMS) key. Otherwise, an error occurs. Macie uses the specified key to encrypt the sensitive data that you retrieve.

" + "smithy.api#documentation": "

Specifies the status of the Amazon Macie configuration for retrieving occurrences of sensitive data reported by findings, and the Key Management Service (KMS) key to use to encrypt sensitive data that's retrieved. When you enable the configuration for the first time, your request must specify an KMS key. Otherwise, an error occurs.

" } }, "com.amazonaws.macie2#RevealRequestStatus": { @@ -11067,7 +11125,7 @@ "target": "com.amazonaws.macie2#__string", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "

The Amazon Resource Name (ARN) of the customer managed KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric encryption KMS key that's in the same Amazon Web Services Region as the bucket.

", + "smithy.api#documentation": "

The Amazon Resource Name (ARN) of the customer managed KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric encryption KMS key that's enabled in the same Amazon Web Services Region as the bucket.

", "smithy.api#jsonName": "kmsKeyArn", "smithy.api#required": {} } @@ -12170,7 +12228,7 @@ "comparator": { "target": "com.amazonaws.macie2#JobComparator", "traits": { - "smithy.api#documentation": "

The operator to use in the condition. Valid values for each supported property (key) are:

  • OBJECT_EXTENSION - EQ (equals) or NE (not equals)

  • OBJECT_KEY - STARTS_WITH

  • OBJECT_LAST_MODIFIED_DATE - Any operator except CONTAINS

  • OBJECT_SIZE - Any operator except CONTAINS

", + "smithy.api#documentation": "

The operator to use in the condition. Valid values for each supported property (key) are:

  • OBJECT_EXTENSION - EQ (equals) or NE (not equals)

  • OBJECT_KEY - STARTS_WITH

  • OBJECT_LAST_MODIFIED_DATE - EQ (equals), GT (greater than), GTE (greater than or equals), LT (less than), LTE (less than or equals), or NE (not equals)

  • OBJECT_SIZE - EQ (equals), GT (greater than), GTE (greater than or equals), LT (less than), LTE (less than or equals), or NE (not equals)

", "smithy.api#jsonName": "comparator" } }, @@ -12184,7 +12242,7 @@ "values": { "target": "com.amazonaws.macie2#__listOf__string", "traits": { - "smithy.api#documentation": "

An array that lists the values to use in the condition. If the value for the key property is OBJECT_EXTENSION or OBJECT_KEY, this array can specify multiple values and Amazon Macie uses OR logic to join the values. Otherwise, this array can specify only one value.

Valid values for each supported property (key) are:

  • OBJECT_EXTENSION - A string that represents the file name extension of an object. For example: docx or pdf

  • OBJECT_KEY - A string that represents the key prefix (folder name or path) of an object. For example: logs or awslogs/eventlogs. This value applies a condition to objects whose keys (names) begin with the specified value.

  • OBJECT_LAST_MODIFIED_DATE - The date and time (in UTC and extended ISO 8601 format) when an object was created or last changed, whichever is latest. For example: 2020-09-28T14:31:13Z

  • OBJECT_SIZE - An integer that represents the storage size (in bytes) of an object.

Macie doesn't support use of wildcard characters in these values. Also, string values are case sensitive.

", + "smithy.api#documentation": "

An array that lists the values to use in the condition. If the value for the key property is OBJECT_EXTENSION or OBJECT_KEY, this array can specify multiple values and Amazon Macie uses OR logic to join the values. Otherwise, this array can specify only one value.

Valid values for each supported property (key) are:

  • OBJECT_EXTENSION - A string that represents the file name extension of an object. For example: docx or pdf

  • OBJECT_KEY - A string that represents the key prefix (folder name or path) of an object. For example: logs or awslogs/eventlogs. This value applies a condition to objects whose keys (names) begin with the specified value.

  • OBJECT_LAST_MODIFIED_DATE - The date and time (in UTC and extended ISO 8601 format) when an object was created or last changed, whichever is latest. For example: 2023-09-24T14:31:13Z

  • OBJECT_SIZE - An integer that represents the storage size (in bytes) of an object.

Macie doesn't support use of wildcard characters in these values. Also, string values are case sensitive.

", "smithy.api#jsonName": "values" } } @@ -12699,6 +12757,42 @@ "traits": { "smithy.api#enumValue": "OBJECT_UNAVAILABLE" } + }, + "ACCOUNT_NOT_IN_ORGANIZATION": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "ACCOUNT_NOT_IN_ORGANIZATION" + } + }, + "MISSING_GET_MEMBER_PERMISSION": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "MISSING_GET_MEMBER_PERMISSION" + } + }, + "ROLE_TOO_PERMISSIVE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "ROLE_TOO_PERMISSIVE" + } + }, + "MEMBER_ROLE_TOO_PERMISSIVE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "MEMBER_ROLE_TOO_PERMISSIVE" + } + }, + "INVALID_RESULT_SIGNATURE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "INVALID_RESULT_SIGNATURE" + } + }, + "RESULT_NOT_SIGNED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "RESULT_NOT_SIGNED" + } } }, "traits": { @@ -12723,7 +12817,7 @@ "target": "com.amazonaws.macie2#__string", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "

The type of error that occurred and prevented Amazon Macie from retrieving occurrences of sensitive data reported by the finding. Possible values are:

  • INVALID_CLASSIFICATION_RESULT - Amazon Macie can't verify the location of the sensitive data to retrieve. There isn't a corresponding sensitive data discovery result for the finding. Or the sensitive data discovery result specified by the classificationDetails.detailedResultsLocation field of the finding isn't available, is malformed or corrupted, or uses an unsupported storage format.

  • OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data.

  • OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object might have been renamed, moved, or deleted. Or the object was changed after Macie created the finding.

  • UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.

  • UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.

", + "smithy.api#documentation": "

The type of error that occurred and prevented Amazon Macie from retrieving occurrences of sensitive data reported by the finding. Possible values are:

  • ACCOUNT_NOT_IN_ORGANIZATION - The affected account isn't currently part of your organization. Or the account is part of your organization but Macie isn't currently enabled for the account. You're not allowed to access the affected S3 object by using Macie.

  • INVALID_CLASSIFICATION_RESULT - There isn't a corresponding sensitive data discovery result for the finding. Or the corresponding sensitive data discovery result isn't available, is malformed or corrupted, or uses an unsupported storage format. Macie can't verify the location of the sensitive data to retrieve.

  • INVALID_RESULT_SIGNATURE - The corresponding sensitive data discovery result is stored in an S3 object that wasn't signed by Macie. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.

  • MEMBER_ROLE_TOO_PERMISSIVE - The affected member account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Or the role's trust policy doesn't specify the correct external ID. Macie can't assume the role to retrieve the sensitive data.

  • MISSING_GET_MEMBER_PERMISSION - You're not allowed to retrieve information about the association between your account and the affected account. Macie can't determine whether you’re allowed to access the affected S3 object as the delegated Macie administrator for the affected account.

  • OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data from this type of file.

  • OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object was renamed, moved, or deleted. Or the object was changed after Macie created the finding.

  • RESULT_NOT_SIGNED - The corresponding sensitive data discovery result is stored in an S3 object that hasn't been signed. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.

  • ROLE_TOO_PERMISSIVE - Your account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Macie can’t assume the role to retrieve the sensitive data.

  • UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.

  • UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.

", "smithy.api#jsonName": "message", "smithy.api#required": {} } @@ -13563,6 +13657,30 @@ "smithy.api#output": {} } }, + "com.amazonaws.macie2#UpdateRetrievalConfiguration": { + "type": "structure", + "members": { + "retrievalMode": { + "target": "com.amazonaws.macie2#RetrievalMode", + "traits": { + "smithy.api#clientOptional": {}, + "smithy.api#documentation": "

The access method to use when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie; and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data. If you specify ASSUME_ROLE, also specify the name of an existing IAM role for Macie to assume (roleName).

If you change this value from ASSUME_ROLE to CALLER_CREDENTIALS for an existing configuration, Macie permanently deletes the external ID and role name currently specified for the configuration. These settings can't be recovered after they're deleted.

", + "smithy.api#jsonName": "retrievalMode", + "smithy.api#required": {} + } + }, + "roleName": { + "target": "com.amazonaws.macie2#__stringMin1Max64PatternW", + "traits": { + "smithy.api#documentation": "

The name of the IAM role that is in the affected Amazon Web Services account and Amazon Macie is allowed to assume when retrieving sensitive data from affected S3 objects for the account. The trust and permissions policies for the role must meet all requirements for Macie to assume the role.

", + "smithy.api#jsonName": "roleName" + } + } + }, + "traits": { + "smithy.api#documentation": "

Specifies the access method and settings to use when retrieving occurrences of sensitive data reported by findings. If your request specifies an Identity and Access Management (IAM) role to assume when retrieving the sensitive data, Amazon Macie verifies that the role exists and the attached policies are configured correctly. If there's an issue, Macie returns an error. For information about addressing the issue, see Retrieving sensitive data samples with findings in the Amazon Macie User Guide.

" + } + }, "com.amazonaws.macie2#UpdateRevealConfiguration": { "type": "operation", "input": { @@ -13601,10 +13719,17 @@ "target": "com.amazonaws.macie2#RevealConfiguration", "traits": { "smithy.api#clientOptional": {}, - "smithy.api#documentation": "

The new configuration settings and the status of the configuration for the account.

", + "smithy.api#documentation": "

The KMS key to use to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.

", "smithy.api#jsonName": "configuration", "smithy.api#required": {} } + }, + "retrievalConfiguration": { + "target": "com.amazonaws.macie2#UpdateRetrievalConfiguration", + "traits": { + "smithy.api#documentation": "

The access method and settings to use to retrieve the sensitive data.

", + "smithy.api#jsonName": "retrievalConfiguration" + } } }, "traits": { @@ -13617,9 +13742,16 @@ "configuration": { "target": "com.amazonaws.macie2#RevealConfiguration", "traits": { - "smithy.api#documentation": "

The new configuration settings and the status of the configuration for the account.

", + "smithy.api#documentation": "

The KMS key to use to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.

", "smithy.api#jsonName": "configuration" } + }, + "retrievalConfiguration": { + "target": "com.amazonaws.macie2#RetrievalConfiguration", + "traits": { + "smithy.api#documentation": "

The access method and settings to use to retrieve the sensitive data.

", + "smithy.api#jsonName": "retrievalConfiguration" + } } }, "traits": { @@ -13688,7 +13820,7 @@ "includes": { "target": "com.amazonaws.macie2#SensitivityInspectionTemplateIncludes", "traits": { - "smithy.api#documentation": "

The allow lists, custom data identifiers, and managed data identifiers to include (use) when analyzing data.

", + "smithy.api#documentation": "

The allow lists, custom data identifiers, and managed data identifiers to explicitly include (use) when analyzing data.

", "smithy.api#jsonName": "includes" } } @@ -14483,6 +14615,16 @@ "smithy.api#pattern": "^[\\s\\S]+$" } }, + "com.amazonaws.macie2#__stringMin1Max64PatternW": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 64 + }, + "smithy.api#pattern": "^[\\w+=,.@-]*$" + } + }, "com.amazonaws.macie2#__stringMin22Max22PatternAZ0922": { "type": "string", "traits": {