feat(client-macie2): This release adds support for analyzing Amazon S3 objects that are encrypted using dual-layer server-side encryption with AWS KMS keys (DSSE-KMS). It also adds support for reporting DSSE-KMS details in statistics and metadata about encryption settings for S3 buckets and objects.

awstools · awstools · commit cb180847e658 · 2024-01-16T19:18:31.000Z
diff --git a/clients/client-macie2/src/commands/DescribeBucketsCommand.ts b/clients/client-macie2/src/commands/DescribeBucketsCommand.ts
@@ -128,7 +128,7 @@ export interface DescribeBucketsCommandOutput extends DescribeBucketsResponse, _
  * //       sensitivityScore: Number("int"),
  * //       serverSideEncryption: { // BucketServerSideEncryption
  * //         kmsMasterKeyId: "STRING_VALUE",
- * //         type: "NONE" || "AES256" || "aws:kms",
+ * //         type: "NONE" || "AES256" || "aws:kms" || "aws:kms:dsse",
  * //       },
  * //       sharedAccess: "EXTERNAL" || "INTERNAL" || "NOT_SHARED" || "UNKNOWN",
  * //       sizeInBytes: Number("long"),
diff --git a/clients/client-macie2/src/commands/GetFindingsCommand.ts b/clients/client-macie2/src/commands/GetFindingsCommand.ts
@@ -274,7 +274,7 @@ export interface GetFindingsCommandOutput extends GetFindingsResponse, __Metadat
  * //           arn: "STRING_VALUE",
  * //           createdAt: new Date("TIMESTAMP"),
  * //           defaultServerSideEncryption: { // ServerSideEncryption
- * //             encryptionType: "NONE" || "AES256" || "aws:kms" || "UNKNOWN",
+ * //             encryptionType: "NONE" || "AES256" || "aws:kms" || "UNKNOWN" || "aws:kms:dsse",
  * //             kmsMasterKeyId: "STRING_VALUE",
  * //           },
  * //           name: "STRING_VALUE",
@@ -327,7 +327,7 @@ export interface GetFindingsCommandOutput extends GetFindingsResponse, __Metadat
  * //           path: "STRING_VALUE",
  * //           publicAccess: true || false,
  * //           serverSideEncryption: {
- * //             encryptionType: "NONE" || "AES256" || "aws:kms" || "UNKNOWN",
+ * //             encryptionType: "NONE" || "AES256" || "aws:kms" || "UNKNOWN" || "aws:kms:dsse",
  * //             kmsMasterKeyId: "STRING_VALUE",
  * //           },
  * //           size: Number("long"),
diff --git a/clients/client-macie2/src/models/models_0.ts b/clients/client-macie2/src/models/models_0.ts
@@ -215,19 +215,19 @@ export interface JobDetails {
 export interface ObjectCountByEncryptionType {
   /**
    * @public
-   * <p>The total number of objects that are encrypted with a customer-provided key. The objects use customer-provided server-side encryption (SSE-C).</p>
+   * <p>The total number of objects that are encrypted with customer-provided keys. The objects use server-side encryption with customer-provided keys (SSE-C).</p>
    */
   customerManaged?: number;
 
   /**
    * @public
-   * <p>The total number of objects that are encrypted with an KMS key, either an Amazon Web Services managed key or a customer managed key. The objects use KMS encryption (SSE-KMS).</p>
+   * <p>The total number of objects that are encrypted with KMS keys, either Amazon Web Services managed keys or customer managed keys. The objects use dual-layer server-side encryption or server-side encryption with KMS keys (DSSE-KMS or SSE-KMS).</p>
    */
   kmsManaged?: number;
 
   /**
    * @public
-   * <p>The total number of objects that are encrypted with an Amazon S3 managed key. The objects use Amazon S3 managed encryption (SSE-S3).</p>
+   * <p>The total number of objects that are encrypted with Amazon S3 managed keys. The objects use server-side encryption with Amazon S3 managed keys (SSE-S3).</p>
    */
   s3Managed?: number;
 
@@ -429,6 +429,7 @@ export const Type = {
   AES256: "AES256",
   NONE: "NONE",
   aws_kms: "aws:kms",
+  aws_kms_dsse: "aws:kms:dsse",
 } as const;
 
 /**
@@ -449,7 +450,7 @@ export interface BucketServerSideEncryption {
 
   /**
    * @public
-   * <p>The server-side encryption algorithm that's used by default to encrypt objects that are added to the bucket. Possible values are:</p> <ul><li><p>AES256 - New objects are encrypted with an Amazon S3 managed key. They use SSE-S3 encryption.</p></li> <li><p>aws:kms - New objects are encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key. They use SSE-KMS encryption.</p></li> <li><p>NONE - The bucket's default encryption settings don't specify server-side encryption behavior for new objects.</p></li></ul>
+   * <p>The server-side encryption algorithm that's used by default to encrypt objects that are added to the bucket. Possible values are:</p> <ul><li><p>AES256 - New objects use SSE-S3 encryption. They're encrypted with an Amazon S3 managed key.</p></li> <li><p>aws:kms - New objects use SSE-KMS encryption. They're encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key.</p></li> <li><p>aws:kms:dsse - New objects use DSSE-KMS encryption. They're encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key.</p></li> <li><p>NONE - The bucket's default encryption settings don't specify server-side encryption behavior for new objects.</p></li></ul>
    */
   type?: Type;
 }
@@ -1810,6 +1811,7 @@ export const EncryptionType = {
   NONE: "NONE",
   UNKNOWN: "UNKNOWN",
   aws_kms: "aws:kms",
+  aws_kms_dsse: "aws:kms:dsse",
 } as const;
 
 /**
@@ -3642,7 +3644,7 @@ export interface BucketCountByEffectivePermission {
 export interface BucketCountByEncryptionType {
   /**
    * @public
-   * <p>The total number of buckets whose default encryption settings are configured to encrypt new objects with an Amazon Web Services managed KMS key or a customer managed KMS key. By default, these buckets encrypt new objects automatically using SSE-KMS encryption.</p>
+   * <p>The total number of buckets whose default encryption settings are configured to encrypt new objects with an KMS key, either an Amazon Web Services managed key or a customer managed key. By default, these buckets encrypt new objects automatically using DSSE-KMS or SSE-KMS encryption.</p>
    */
   kmsManaged?: number;
 
@@ -5897,7 +5899,7 @@ export interface RevealConfiguration {
 
   /**
    * @public
-   * <p>The status of the configuration for the Amazon Macie account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account.</p>
+   * <p>The status of the configuration for the Amazon Macie account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account.</p> <important><p>If you disable the configuration, you also permanently delete current settings that specify how to access affected S3 objects. If your current access method is ASSUME_ROLE, Macie also deletes the external ID and role name currently specified for the configuration. These settings can't be recovered after they're deleted.</p></important>
    */
   status: RevealStatus | undefined;
 }
@@ -5923,13 +5925,13 @@ export type RetrievalMode = (typeof RetrievalMode)[keyof typeof RetrievalMode];
 export interface RetrievalConfiguration {
   /**
    * @public
-   * <p>The external ID to specify in the trust policy for the IAM role to assume when retrieving sensitive data from affected S3 objects (roleName). The trust policy must include an sts:ExternalId condition that requires this ID.</p> <p>This ID is a unique alphanumeric string that Amazon Macie generates automatically after you configure it to assume a role. This value is null if the value for retrievalMode is CALLER_CREDENTIALS.</p>
+   * <p>The external ID to specify in the trust policy for the IAM role to assume when retrieving sensitive data from affected S3 objects (roleName). This value is null if the value for retrievalMode is CALLER_CREDENTIALS.</p> <p>This ID is a unique alphanumeric string that Amazon Macie generates automatically after you configure it to assume an IAM role. For a Macie administrator to retrieve sensitive data from an affected S3 object for a member account, the trust policy for the role in the member account must include an sts:ExternalId condition that requires this ID.</p>
    */
   externalId?: string;
 
   /**
    * @public
-   * <p>The access method that's used when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie (roleName); and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data.</p>
+   * <p>The access method that's used to retrieve sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie (roleName); and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data.</p>
    */
   retrievalMode: RetrievalMode | undefined;
 
@@ -6049,7 +6051,7 @@ export interface GetSensitiveDataOccurrencesAvailabilityResponse {
 
   /**
    * @public
-   * <p>Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:</p> <ul><li><p>ACCOUNT_NOT_IN_ORGANIZATION - The affected account isn't currently part of your organization. Or the account is part of your organization but Macie isn't currently enabled for the account. You're not allowed to access the affected S3 object by using Macie.</p></li> <li><p>INVALID_CLASSIFICATION_RESULT - There isn't a corresponding sensitive data discovery result for the finding. Or the corresponding sensitive data discovery result isn't available, is malformed or corrupted, or uses an unsupported storage format. Macie can't verify the location of the sensitive data to retrieve.</p></li> <li><p>INVALID_RESULT_SIGNATURE - The corresponding sensitive data discovery result is stored in an S3 object that wasn't signed by Macie. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.</p></li> <li><p>MEMBER_ROLE_TOO_PERMISSIVE - The affected member account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Or the role's trust policy doesn't specify the correct external ID. Macie can't assume the role to retrieve the sensitive data.</p></li> <li><p>MISSING_GET_MEMBER_PERMISSION - You're not allowed to retrieve information about the association between your account and the affected account. Macie can't determine whether you’re allowed to access the affected S3 object as the delegated Macie administrator for the affected account.</p></li> <li><p>OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data from this type of file.</p></li> <li><p>OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object was renamed, moved, or deleted. Or the object was changed after Macie created the finding.</p></li> <li><p>RESULT_NOT_SIGNED - The corresponding sensitive data discovery result is stored in an S3 object that hasn't been signed. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.</p></li> <li><p>ROLE_TOO_PERMISSIVE - Your account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Macie can’t assume the role to retrieve the sensitive data.</p></li> <li><p>UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.</p></li> <li><p>UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.</p></li></ul> <p>This value is null if sensitive data can be retrieved for the finding.</p>
+   * <p>Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:</p> <ul><li><p>ACCOUNT_NOT_IN_ORGANIZATION - The affected account isn't currently part of your organization. Or the account is part of your organization but Macie isn't currently enabled for the account. You're not allowed to access the affected S3 object by using Macie.</p></li> <li><p>INVALID_CLASSIFICATION_RESULT - There isn't a corresponding sensitive data discovery result for the finding. Or the corresponding sensitive data discovery result isn't available in the current Amazon Web Services Region, is malformed or corrupted, or uses an unsupported storage format. Macie can't verify the location of the sensitive data to retrieve.</p></li> <li><p>INVALID_RESULT_SIGNATURE - The corresponding sensitive data discovery result is stored in an S3 object that wasn't signed by Macie. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.</p></li> <li><p>MEMBER_ROLE_TOO_PERMISSIVE - The trust or permissions policy for the IAM role in the affected member account doesn't meet Macie requirements for restricting access to the role. Or the role's trust policy doesn't specify the correct external ID for your organization. Macie can't assume the role to retrieve the sensitive data.</p></li> <li><p>MISSING_GET_MEMBER_PERMISSION - You're not allowed to retrieve information about the association between your account and the affected account. Macie can't determine whether you’re allowed to access the affected S3 object as the delegated Macie administrator for the affected account.</p></li> <li><p>OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data from this type of file.</p></li> <li><p>OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object was renamed, moved, deleted, or changed after Macie created the finding. Or the object is encrypted with an KMS key that's currently disabled.</p></li> <li><p>RESULT_NOT_SIGNED - The corresponding sensitive data discovery result is stored in an S3 object that hasn't been signed. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.</p></li> <li><p>ROLE_TOO_PERMISSIVE - Your account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Macie can’t assume the role to retrieve the sensitive data.</p></li> <li><p>UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.</p></li> <li><p>UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.</p></li></ul> <p>This value is null if sensitive data can be retrieved for the finding.</p>
    */
   reasons?: UnavailabilityReasonCode[];
 }
diff --git a/clients/client-macie2/src/models/models_1.ts b/clients/client-macie2/src/models/models_1.ts
@@ -880,7 +880,7 @@ export interface UpdateResourceProfileDetectionsResponse {}
 
 /**
  * @public
- * <p>Specifies the access method and settings to use when retrieving occurrences of sensitive data reported by findings. If your request specifies an Identity and Access Management (IAM) role to assume when retrieving the sensitive data, Amazon Macie verifies that the role exists and the attached policies are configured correctly. If there's an issue, Macie returns an error. For information about addressing the issue, see <a href="https://docs.aws.amazon.com/macie/latest/user/findings-retrieve-sd.html">Retrieving sensitive data samples with findings</a> in the <i>Amazon Macie User Guide</i>.</p>
+ * <p>Specifies the access method and settings to use when retrieving occurrences of sensitive data reported by findings. If your request specifies an Identity and Access Management (IAM) role to assume, Amazon Macie verifies that the role exists and the attached policies are configured correctly. If there's an issue, Macie returns an error. For information about addressing the issue, see <a href="https://docs.aws.amazon.com/macie/latest/user/findings-retrieve-sd-options.html">Configuration options and requirements for retrieving sensitive data samples</a> in the <i>Amazon Macie User Guide</i>.</p>
  */
 export interface UpdateRetrievalConfiguration {
   /**
@@ -908,7 +908,7 @@ export interface UpdateRevealConfigurationRequest {
 
   /**
    * @public
-   * <p>The access method and settings to use to retrieve the sensitive data.</p>
+   * <p>The access method and settings to use when retrieving the sensitive data.</p>
    */
   retrievalConfiguration?: UpdateRetrievalConfiguration;
 }
@@ -925,7 +925,7 @@ export interface UpdateRevealConfigurationResponse {
 
   /**
    * @public
-   * <p>The access method and settings to use to retrieve the sensitive data.</p>
+   * <p>The access method and settings to use when retrieving the sensitive data.</p>
    */
   retrievalConfiguration?: RetrievalConfiguration;
 }
diff --git a/codegen/sdk-codegen/aws-models/macie2.json b/codegen/sdk-codegen/aws-models/macie2.json
