AWS::Macie::CustomDataIdentifier - AWS CloudFormation (original) (raw)
The AWS::Macie::CustomDataIdentifier resource specifies a custom data identifier. A custom data identifier is a set of custom criteria for Amazon Macie to use when it inspects data sources for sensitive data. The criteria consist of a regular expression (regex) that defines a text pattern to match and, optionally, character sequences and a proximity rule that refine the results. The character sequences can be:
- Keywords, which are words or phrases that must be in proximity of text that matches the regex, or
- Ignore words, which are words or phrases to exclude from the results.
By using custom data identifiers, you can supplement the managed data identifiers that Macie provides and detect sensitive data that reflects your particular scenarios, intellectual property, or proprietary data. For more information, see Building custom data identifiers in the Amazon Macie User Guide.
An AWS::Macie::Session resource must exist for an AWS account before you can create anAWS::Macie::CustomDataIdentifier resource for the account. Use a DependsOn attribute to ensure that an AWS::Macie::Session resource is created before other Macie resources are created for an account. For example, "DependsOn": "Session".
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{
"Type" : "AWS::Macie::CustomDataIdentifier",
"Properties" : {
"Description" : String,
"IgnoreWords" : [ String, ... ],
"Keywords" : [ String, ... ],
"MaximumMatchDistance" : Integer,
"Name" : String,
"Regex" : String,
"Tags" : [ Tag, ... ]
}
}
YAML
Type: AWS::Macie::CustomDataIdentifier
Properties:
Description: String
IgnoreWords:
- String
Keywords:
- String
MaximumMatchDistance: Integer
Name: String
Regex: String
Tags:
- Tag
Properties
Description
A custom description of the custom data identifier. The description can contain 1-512 characters.
Avoid including sensitive data in the description. Users of the account might be able to see the description, depending on the actions that they're allowed to perform in Amazon Macie.
Required: No
Type: String
Update requires: Replacement
IgnoreWords
An array of character sequences (ignore words) to exclude from the results. If text matches the regular expression (Regex) but it contains a string in this array, Amazon Macie ignores the text and doesn't include it in the results.
The array can contain 1-10 ignore words. Each ignore word can contain 4-90 UTF-8 characters. Ignore words are case sensitive.
Required: No
Type: Array of String
Update requires: Replacement
Keywords
An array of character sequences (keywords), one of which must precede and be in proximity (MaximumMatchDistance) of the regular expression (Regex) to match.
The array can contain 1-50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.
Required: No
Type: Array of String
Update requires: Replacement
MaximumMatchDistance
The maximum number of characters that can exist between the end of at least one complete character sequence specified by the Keywords array and the end of text that matches the regular expression (Regex). If a complete keyword precedes all the text that matches the regular expression and the keyword is within the specified distance, Amazon Macie includes the result.
The distance can be 1-300 characters. The default value is 50.
Required: No
Type: Integer
Update requires: Replacement
Name
A custom name for the custom data identifier. The name can contain 1-128 characters.
Avoid including sensitive data in the name of a custom data identifier. Users of the account might be able to see the name, depending on the actions that they're allowed to perform in Amazon Macie.
Required: Yes
Type: String
Update requires: Replacement
Regex
The regular expression (regex) that defines the text pattern to match. The expression can contain 1-512 characters.
Required: Yes
Type: String
Update requires: Replacement
Tags
An array of key-value pairs to apply to the custom data identifier.
For more information, see Resource tag.
Required: No
Type: Array of Tag
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the CustomDataIdentifier. For example, { "Ref": "CustomDataIdentifier" }
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Arn
The Amazon Resource Name (ARN) of the custom data identifier.
Id
The unique identifier for the custom data identifier.
Examples
The following example demonstrates how to declare anAWS::Macie::CustomDataIdentifier resource.
Creating a custom data identifier
This example creates a custom data identifier that detects six-digit character sequences that are in proximity of certain keywords, as specified by theKeywords array. If a match is a sample value, as specified by the IgnoreWords array, Amazon Macie excludes that match from the results.
JSON
{
"Type": "AWS::Macie::CustomDataIdentifier",
"DependsOn": "Session",
"Properties": {
"Description": "My custom data identifier",
"IgnoreWords": [
"000000",
"123456"
],
"Keywords": [
"employeeID",
"employee ID"
],
"MaximumMatchDistance": 20,
"Name": "EmployeeIDCustomDataIdentifier",
"Regex": "\\d{6}",
"Tags": [
{
"Key": "Stack",
"Value": "Production"
}
]
}
}YAML
Type: 'AWS::Macie::CustomDataIdentifier'
DependsOn: Session
Properties:
Description: My custom data identifier
IgnoreWords:
- '000000'
- '123456'
Keywords:
- 'employeeID'
- 'employee ID'
MaximumMatchDistance: 20
Name: EmployeeIDCustomDataIdentifier
Regex: '\\d{6}'
Tags:
- Key: Stack
Value: Production