Retrieves (queries) statistical data and other information about one or more S3 buckets that Amazon Macie monitors and analyzes for an account.
See also: AWS API Documentation
describe-buckets
is a paginated operation. Multiple API calls may be issued in order to retrieve the entire data set of results. You can disable pagination by providing the --no-paginate
argument.
When using --output text
and the --query
argument on a paginated response, the --query
argument must extract data from the results of the following query expressions: buckets
describe-buckets
[--criteria <value>]
[--sort-criteria <value>]
[--cli-input-json | --cli-input-yaml]
[--starting-token <value>]
[--page-size <value>]
[--max-items <value>]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]
--criteria
(map)
The criteria to use to filter the query results.
key -> (string)
value -> (structure)
Specifies the operator to use in a property-based condition that filters the results of a query for information about S3 buckets.
eq -> (list)
The value for the property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
(string)
gt -> (long)
The value for the property is greater than the specified value.
gte -> (long)
The value for the property is greater than or equal to the specified value.
lt -> (long)
The value for the property is less than the specified value.
lte -> (long)
The value for the property is less than or equal to the specified value.
neq -> (list)
The value for the property doesn’t match (doesn’t equal) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
(string)
prefix -> (string)
The name of the bucket begins with the specified value.
Shorthand Syntax:
KeyName1=eq=string,string,gt=long,gte=long,lt=long,lte=long,neq=string,string,prefix=string,KeyName2=eq=string,string,gt=long,gte=long,lt=long,lte=long,neq=string,string,prefix=string
JSON Syntax:
{"string": {
"eq": ["string", ...],
"gt": long,
"gte": long,
"lt": long,
"lte": long,
"neq": ["string", ...],
"prefix": "string"
}
...}
--sort-criteria
(structure)
The criteria to use to sort the query results.
attributeName -> (string)
The name of the bucket property to sort the results by. This value can be one of the following properties that Amazon Macie defines as bucket metadata: accountId, bucketName, classifiableObjectCount, classifiableSizeInBytes, objectCount, sensitivityScore, or sizeInBytes.
orderBy -> (string)
The sort order to apply to the results, based on the value specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
Shorthand Syntax:
attributeName=string,orderBy=string
JSON Syntax:
{
"attributeName": "string",
"orderBy": "ASC"|"DESC"
}
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--starting-token
(string)
A token to specify where to start paginating. This is the
NextToken
from a previously truncated response.For usage examples, see Pagination in the AWS Command Line Interface User Guide .
--page-size
(integer)
The size of each page to get in the AWS service call. This does not affect the number of items returned in the command’s output. Setting a smaller page size results in more calls to the AWS service, retrieving fewer items in each call. This can help prevent the AWS service calls from timing out.
For usage examples, see Pagination in the AWS Command Line Interface User Guide .
--max-items
(integer)
The total number of items to return in the command’s output. If the total number of items available is more than the value specified, a
NextToken
is provided in the command’s output. To resume pagination, provide theNextToken
value in thestarting-token
argument of a subsequent command. Do not use theNextToken
response element directly outside of the AWS CLI.For usage examples, see Pagination in the AWS Command Line Interface User Guide .
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.
--debug
(boolean)
Turn on debug logging.
--endpoint-url
(string)
Override command’s default URL with the given URL.
--no-verify-ssl
(boolean)
By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.
--no-paginate
(boolean)
Disable automatic pagination.
--output
(string)
The formatting style for command output.
json
text
table
yaml
yaml-stream
--query
(string)
A JMESPath query to use in filtering the response data.
--profile
(string)
Use a specific profile from your credential file.
--region
(string)
The region to use. Overrides config/env settings.
--version
(string)
Display the version of this tool.
--color
(string)
Turn on/off color output.
on
off
auto
--no-sign-request
(boolean)
Do not sign requests. Credentials will not be loaded if this argument is provided.
--ca-bundle
(string)
The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.
--cli-read-timeout
(int)
The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.
--cli-connect-timeout
(int)
The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.
--cli-binary-format
(string)
The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb://
will always be treated as binary and use the file contents directly regardless of the cli-binary-format
setting. When using file://
the file contents will need to properly formatted for the configured cli-binary-format
.
base64
raw-in-base64-out
--no-cli-pager
(boolean)
Disable cli pager for output.
--cli-auto-prompt
(boolean)
Automatically prompt for CLI input parameters.
--no-cli-auto-prompt
(boolean)
Disable automatically prompt for CLI input parameters.
buckets -> (list)
An array of objects, one for each bucket that matches the filter criteria specified in the request.
(structure)
Provides statistical data and other information about an S3 bucket that Amazon Macie monitors and analyzes for your account. If an error occurs when Macie attempts to retrieve and process metadata from Amazon S3 for the bucket and the bucket’s objects, the value for the versioning property is false and the value for most other properties is null. Key exceptions are accountId, bucketArn, bucketCreatedAt, bucketName, lastUpdated, and region. To identify the cause of the error, refer to the errorCode and errorMessage values.
accountId -> (string)
The unique identifier for the Amazon Web Services account that owns the bucket.
allowsUnencryptedObjectUploads -> (string)
Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are uploaded to the bucket. Possible values are:
FALSE - The bucket policy requires server-side encryption of new objects. PutObject requests must include a valid server-side encryption header.
TRUE - The bucket doesn’t have a bucket policy or it has a bucket policy that doesn’t require server-side encryption of new objects. If a bucket policy exists, it doesn’t require PutObject requests to include a valid server-side encryption header.
UNKNOWN - Amazon Macie can’t determine whether the bucket policy requires server-side encryption of new objects.
Valid server-side encryption headers are: x-amz-server-side-encryption with a value of AES256 or aws:kms, and x-amz-server-side-encryption-customer-algorithm with a value of AES256.
bucketArn -> (string)
The Amazon Resource Name (ARN) of the bucket.
bucketCreatedAt -> (timestamp)
The date and time, in UTC and extended ISO 8601 format, when the bucket was created, or changes such as edits to the bucket’s policy were most recently made to the bucket.
bucketName -> (string)
The name of the bucket.
classifiableObjectCount -> (long)
The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
classifiableSizeInBytes -> (long)
The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn’t reflect the storage size of all versions of each applicable object in the bucket.
errorCode -> (string)
Specifies the error code for an error that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket’s objects. If this value is ACCESS_DENIED, Macie doesn’t have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request. If this value is null, Macie was able to retrieve and process the information.
errorMessage -> (string)
A brief description of the error (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket’s objects. This value is null if Macie was able to retrieve and process the information.
jobDetails -> (structure)
Specifies whether any one-time or recurring classification jobs are configured to analyze data in the bucket, and, if so, the details of the job that ran most recently.
isDefinedInJob -> (string)
Specifies whether any one-time or recurring jobs are configured to analyze data in the bucket. Possible values are:
TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more jobs and at least one of those jobs has a status other than CANCELLED. Or the bucket matched the bucket criteria (S3BucketCriteriaForJob) for at least one job that previously ran.
FALSE - The bucket isn’t explicitly included in the bucket definition (S3BucketDefinitionForJob) for any jobs, all the jobs that explicitly include the bucket in their bucket definitions have a status of CANCELLED, or the bucket didn’t match the bucket criteria (S3BucketCriteriaForJob) for any jobs that previously ran.
UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.
isMonitoredByJob -> (string)
Specifies whether any recurring jobs are configured to analyze data in the bucket. Possible values are:
TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more recurring jobs or the bucket matches the bucket criteria (S3BucketCriteriaForJob) for one or more recurring jobs. At least one of those jobs has a status other than CANCELLED.
FALSE - The bucket isn’t explicitly included in the bucket definition (S3BucketDefinitionForJob) for any recurring jobs, the bucket doesn’t match the bucket criteria (S3BucketCriteriaForJob) for any recurring jobs, or all the recurring jobs that are configured to analyze data in the bucket have a status of CANCELLED.
UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.
lastJobId -> (string)
The unique identifier for the job that ran most recently and is configured to analyze data in the bucket, either the latest run of a recurring job or the only run of a one-time job.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
lastJobRunTime -> (timestamp)
The date and time, in UTC and extended ISO 8601 format, when the job (lastJobId) started. If the job is a recurring job, this value indicates when the most recent run started.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
lastAutomatedDiscoveryTime -> (timestamp)
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently performed automated sensitive data discovery for the bucket. This value is null if automated sensitive data discovery is currently disabled for your account.
lastUpdated -> (timestamp)
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved both bucket and object metadata from Amazon S3 for the bucket.
objectCount -> (long)
The total number of objects in the bucket.
objectCountByEncryptionType -> (structure)
The total number of objects that are in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren’t encrypted or use client-side encryption.
customerManaged -> (long)
The total number of objects that are encrypted with a customer-provided key. The objects use customer-provided server-side encryption (SSE-C).
kmsManaged -> (long)
The total number of objects that are encrypted with an KMS key, either an Amazon Web Services managed key or a customer managed key. The objects use KMS encryption (SSE-KMS).
s3Managed -> (long)
The total number of objects that are encrypted with an Amazon S3 managed key. The objects use Amazon S3 managed encryption (SSE-S3).
unencrypted -> (long)
The total number of objects that aren’t encrypted or use client-side encryption.
unknown -> (long)
The total number of objects that Amazon Macie doesn’t have current encryption metadata for. Macie can’t provide current data about the encryption settings for these objects.
publicAccess -> (structure)
Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket, and provides information about those settings.
effectivePermission -> (string)
Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket. Possible values are:
NOT_PUBLIC - The bucket isn’t publicly accessible.
PUBLIC - The bucket is publicly accessible.
UNKNOWN - Amazon Macie can’t determine whether the bucket is publicly accessible.
permissionConfiguration -> (structure)
The account-level and bucket-level permissions settings for the bucket.
accountLevelPermissions -> (structure)
The account-level permissions settings that apply to the bucket.
blockPublicAccess -> (structure)
The block public access settings for the Amazon Web Services account that owns the bucket.
blockPublicAcls -> (boolean)
Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.
blockPublicPolicy -> (boolean)
Specifies whether Amazon S3 blocks public bucket policies for the bucket.
ignorePublicAcls -> (boolean)
Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.
restrictPublicBuckets -> (boolean)
Specifies whether Amazon S3 restricts public bucket policies for the bucket.
bucketLevelPermissions -> (structure)
The bucket-level permissions settings for the bucket.
accessControlList -> (structure)
The permissions settings of the access control list (ACL) for the bucket. This value is null if an ACL hasn’t been defined for the bucket.
allowsPublicReadAccess -> (boolean)
Specifies whether the ACL grants the general public with read access permissions for the bucket.
allowsPublicWriteAccess -> (boolean)
Specifies whether the ACL grants the general public with write access permissions for the bucket.
blockPublicAccess -> (structure)
The block public access settings for the bucket.
blockPublicAcls -> (boolean)
Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.
blockPublicPolicy -> (boolean)
Specifies whether Amazon S3 blocks public bucket policies for the bucket.
ignorePublicAcls -> (boolean)
Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.
restrictPublicBuckets -> (boolean)
Specifies whether Amazon S3 restricts public bucket policies for the bucket.
bucketPolicy -> (structure)
The permissions settings of the bucket policy for the bucket. This value is null if a bucket policy hasn’t been defined for the bucket.
allowsPublicReadAccess -> (boolean)
Specifies whether the bucket policy allows the general public to have read access to the bucket.
allowsPublicWriteAccess -> (boolean)
Specifies whether the bucket policy allows the general public to have write access to the bucket.
region -> (string)
The Amazon Web Services Region that hosts the bucket.
replicationDetails -> (structure)
Specifies whether the bucket is configured to replicate one or more objects to buckets for other Amazon Web Services accounts and, if so, which accounts.
replicated -> (boolean)
Specifies whether the bucket is configured to replicate one or more objects to any destination.
replicatedExternally -> (boolean)
Specifies whether the bucket is configured to replicate one or more objects to an Amazon Web Services account that isn’t part of the same Amazon Macie organization.
replicationAccounts -> (list)
An array of Amazon Web Services account IDs, one for each Amazon Web Services account that the bucket is configured to replicate one or more objects to.
(string)
sensitivityScore -> (integer)
The sensitivity score for the bucket, ranging from -1 (no analysis due to an error) to 100 (sensitive). This value is null if automated sensitive data discovery is currently disabled for your account.
serverSideEncryption -> (structure)
Specifies whether the bucket encrypts new objects by default and, if so, the type of server-side encryption that’s used.
kmsMasterKeyId -> (string)
The Amazon Resource Name (ARN) or unique identifier (key ID) for the KMS key that’s used by default to encrypt objects that are added to the bucket. This value is null if the bucket uses an Amazon S3 managed key to encrypt new objects or the bucket doesn’t encrypt new objects by default.
type -> (string)
The type of server-side encryption that’s used by default when storing new objects in the bucket. Possible values are:
AES256 - New objects are encrypted with an Amazon S3 managed key. They use SSE-S3 encryption.
aws:kms - New objects are encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key. They use SSE-KMS encryption.
NONE - New objects aren’t encrypted by default. Default encryption is disabled for the bucket.
sharedAccess -> (string)
Specifies whether the bucket is shared with another Amazon Web Services account. Possible values are:
EXTERNAL - The bucket is shared with an Amazon Web Services account that isn’t part of the same Amazon Macie organization.
INTERNAL - The bucket is shared with an Amazon Web Services account that’s part of the same Amazon Macie organization.
NOT_SHARED - The bucket isn’t shared with other Amazon Web Services accounts.
UNKNOWN - Amazon Macie wasn’t able to evaluate the shared access settings for the bucket.
sizeInBytes -> (long)
The total storage size, in bytes, of the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn’t reflect the storage size of all versions of each object in the bucket.
sizeInBytesCompressed -> (long)
The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn’t reflect the storage size of all versions of each applicable object in the bucket.
tags -> (list)
An array that specifies the tags (keys and values) that are associated with the bucket.
(structure)
Provides information about the tags that are associated with an S3 bucket or object. Each tag consists of a required tag key and an associated tag value.
key -> (string)
One part of a key-value pair that comprises a tag. A tag key is a general label that acts as a category for more specific tag values.
value -> (string)
One part of a key-value pair that comprises a tag. A tag value acts as a descriptor for a tag key. A tag value can be an empty string.
unclassifiableObjectCount -> (structure)
The total number of objects that Amazon Macie can’t analyze in the bucket. These objects don’t use a supported storage class or don’t have a file name extension for a supported file or storage format.
fileType -> (long)
The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects don’t have a file name extension for a supported file or storage format.
storageClass -> (long)
The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects use an unsupported storage class.
total -> (long)
The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects use an unsupported storage class or don’t have a file name extension for a supported file or storage format.
unclassifiableObjectSizeInBytes -> (structure)
The total storage size, in bytes, of the objects that Amazon Macie can’t analyze in the bucket. These objects don’t use a supported storage class or don’t have a file name extension for a supported file or storage format.
fileType -> (long)
The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects don’t have a file name extension for a supported file or storage format.
storageClass -> (long)
The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects use an unsupported storage class.
total -> (long)
The total storage size (in bytes) or number of objects that Amazon Macie can’t analyze because the objects use an unsupported storage class or don’t have a file name extension for a supported file or storage format.
versioning -> (boolean)
Specifies whether versioning is enabled for the bucket.
nextToken -> (string)
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.