# Reviewing automated sensitive data discovery results
<a name="discovery-asdd-results-s3"></a>

If automated sensitive data discovery is enabled, Amazon Macie automatically generates and maintains additional inventory data, statistics, and other information about the Amazon Simple Storage Service (Amazon S3) general purpose buckets for your account. If you're the Macie administrator for an organization, by default this includes S3 buckets that your member accounts own.

The additional information captures the results of automated sensitive data discovery activities that Macie has performed thus far. It also supplements other information that Macie provides about your Amazon S3 data, such as public access and encryption settings for individual S3 buckets. In addition to metadata and statistics, Macie produces records of the sensitive data it finds and the analysis that it performs—*sensitive data findings* and *sensitive data discovery results*.

As automated sensitive data discovery progresses each day, the following features and data can help you review and evaluate the results:
+ [****Summary** dashboard**](discovery-asdd-results-s3-dashboard.md) – Provides aggregated statistics for your Amazon S3 data estate. The statistics include data for key metrics such as the total number of buckets that Macie has found sensitive data in, and how many of those buckets are publicly accessible. They also report issues that affect coverage of your Amazon S3 data.
+ [****S3 buckets** heat map**](discovery-asdd-results-s3-inventory-map.md) – Provides an interactive, visual representation of data sensitivity across your data estate, grouped by AWS account. For each account, the map includes aggregated sensitivity statistics and it uses colors to indicate the current sensitivity score for each bucket that the account owns. The map also uses symbols to help you identify buckets that are publicly accessible, can't be analyzed by Macie, and more.
+ [****S3 buckets** table**](discovery-asdd-results-s3-inventory-table.md) – Provides summary information for each S3 bucket in your inventory. For each bucket, the table includes data such as the bucket's current sensitivity score, the number of objects that Macie can analyze in the bucket, and whether you configured any sensitive data discovery jobs to periodically analyze objects in the bucket. You can export data from the table to a comma-separated values (CSV) file. 
+ [****S3 bucket** details**](discovery-asdd-results-s3-inventory-details.md) – Provides detailed statistics and information about an S3 bucket. The details include a list of objects that Macie has analyzed in the bucket, and a breakdown of the types and number of occurrences of sensitive data that Macie has found in the bucket. These are in addition to details about settings that affect the security and privacy of the bucket’s data.
+ [**Sensitive data findings**](discovery-asdd-results-s3-findings.md) – Provide detailed reports of sensitive data that Macie found in individual S3 objects. The details include when Macie found the sensitive data, and the types and number of occurrences of the sensitive data that Macie found. The details also include information about the affected S3 bucket and object, including the bucket's public access settings and when the object was most recently changed.
+ [**Sensitive data discovery results**](discovery-asdd-results-s3-sddrs.md) – Provide records of the analysis that Macie performed for individual S3 objects. This includes objects that Macie doesn't find sensitive data in, and objects that Macie can't analyze due to issues or errors. If Macie finds sensitive data in an object, the sensitive data discovery result provides information about the sensitive data that Macie found.

With this data, you can evaluate data sensitivity across your Amazon S3 data estate and drill down to evaluate and investigate individual S3 buckets and objects. Combined with information that Macie provides about the security and privacy of your Amazon S3 data, you can also identify cases where immediate remediation might be necessary—for example, a publicly accessible bucket that Macie found sensitive data in.

Additional data can help you assess and monitor coverage of your Amazon S3 data. With coverage data, you can check the status of the analyses for your data estate overall and individual S3 buckets within it. You can also identify issues that prevented Macie from analyzing objects in specific buckets. If you remediate the issues, you can increase coverage of your Amazon S3 data during subsequent analysis cycles. For more information, see [Assessing automated sensitive data discovery coverage](discovery-coverage.md).

**Topics**
+ [Reviewing data sensitivity statistics on the Summary dashboard](discovery-asdd-results-s3-dashboard.md)
+ [Visualizing data sensitivity with the S3 buckets map](discovery-asdd-results-s3-inventory-map.md)
+ [Assessing data sensitivity with the S3 buckets table](discovery-asdd-results-s3-inventory-table.md)
+ [Reviewing data sensitivity details for S3 buckets](discovery-asdd-results-s3-inventory-details.md)
+ [Analyzing findings from automated sensitive data discovery](discovery-asdd-results-s3-findings.md)
+ [Accessing discovery results from automated sensitive data discovery](discovery-asdd-results-s3-sddrs.md)

# Reviewing data sensitivity statistics on the Summary dashboard
<a name="discovery-asdd-results-s3-dashboard"></a>

On the Amazon Macie console, the **Summary** dashboard provides a snapshot of aggregated statistics and findings data for your Amazon Simple Storage Service (Amazon S3) data in the current AWS Region. It's designed to help you assess the overall security posture of your Amazon S3 data.

Dashboard statistics include data for key security metrics such as the number of S3 general purpose buckets that are publicly accessible or shared with other AWS accounts. The dashboard also displays groups of aggregated findings data for your account—for example, the buckets that generated the most findings during the preceding seven days. If you're the Macie administrator for an organization, the dashboard provides aggregated statistics and data for all the accounts in your organization. You can optionally filter the data by account.

If automated sensitive data discovery is enabled, the **Summary** dashboard includes additional statistics. The statistics capture the status and results of automated discovery activities that Macie has performed thus far for your Amazon S3 data. The following image shows an example of these statistics. 

![\[Sensitive data discovery statistics on the Summary dashboard. Each statistic has example data.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-sensitivity.png)


The statistics are organized primarily into two sections, **Automated discovery** and **Coverage issues**. Statistics in the **Automated discovery** section provide a snapshot of the current status and results of automated sensitive data discovery activities. Statistics in the **Coverage issues** section indicate whether issues prevented Macie from analyzing objects in individual S3 buckets. The statistics don't include data for sensitive data discovery jobs that you create and run. However, remediating coverage issues for automated sensitive data discovery is likely to also increase coverage by jobs that you subsequently run.

**Topics**
+ [Displaying the dashboard](#discovery-asdd-results-s3-dashboard-view)
+ [Understanding statistics on the dashboard](#discovery-asdd-results-s3-dashboard-statistics)

## Displaying the Summary dashboard
<a name="discovery-asdd-results-s3-dashboard-view"></a>

Follow these steps to display the **Summary** dashboard on the Amazon Macie console. To query the statistics programmatically, use the [GetBucketStatistics](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3-statistics.html) operation of the Amazon Macie API.

**To display the Summary dashboard**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **Summary**. Macie displays the **Summary** dashboard.

1. To drill down and review the supporting data for an item on the dashboard, choose the item.

If you're the Macie administrator for an organization, the dashboard displays aggregated statistics and data for your account and member accounts in your organization. To display data for only a particular account, enter the account's ID in the **Account** box above the dashboard.

## Understanding sensitive data discovery statistics on the Summary dashboard
<a name="discovery-asdd-results-s3-dashboard-statistics"></a>

The **Summary** dashboard includes aggregated statistics that can help you monitor automated sensitive data discovery for your Amazon S3 data. It provides a snapshot of the current status and results of the analyses for your Amazon S3 data in the current AWS Region. For example, you can use dashboard statistics to quickly determine how many S3 buckets Amazon Macie has found sensitive data in, and how many of those buckets are publicly accessible. You can also assess coverage of your Amazon S3 data. Coverage statistics can help you identify issues that prevent Macie from analyzing objects in individual S3 buckets. 

On the dashboard, statistics for automated sensitive data discovery are organized into the following sections:
+ [Storage and sensitive data discovery](#discovery-asdd-results-s3-dashboard-storage-statistics)
+ [Automated discovery](#discovery-asdd-results-s3-dashboard-sensitivity-statistics)
+ [Coverage issues](#discovery-asdd-results-s3-dashboard-coverage-statistics)

Individual statistics in each section are as follows. For information about statistics in other sections of the dashboard, see [Understanding components of the Summary dashboard](monitoring-s3-dashboard.md#monitoring-s3-dashboard-components-main).

### Storage and sensitive data discovery
<a name="discovery-asdd-results-s3-dashboard-storage-statistics"></a>

At the top of the dashboard, statistics indicate how much data you store in Amazon S3, and how much of that data Amazon Macie can analyze to detect sensitive data. The following image shows an example of these statistics for an organization with seven accounts.

![\[The Storage and sensitive data discovery section of the dashboard. Each field contains example data.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-storage.png)


Individual statistics in this section are:
+ **Total accounts** – This field appears if you're the Macie administrator for an organization or you have a standalone Macie account. It indicates the total number of AWS accounts that own buckets in your bucket inventory. If you're a Macie administrator, this is the total number of Macie accounts that you manage for your organization. If you have a standalone Macie account, this value is *1*.

  **Total S3 buckets** – This field appears if you have a member account in an organization. It indicates the total number of general purpose buckets in your inventory, including buckets that don't store any objects. 
+ **Storage** – These statistics provide information about the storage size of objects in your bucket inventory:
  + **Classifiable** – The total storage size of all the objects that Macie can analyze in the buckets.
  + **Total** – The total storage size of all the objects in the buckets, including objects that Macie can’t analyze.

  If any of the objects are compressed files, these values don’t reflect the actual size of those files after they’re decompressed. If versioning is enabled for any of the buckets, these values are based on the storage size of the latest version of each object in those buckets.
+ **Objects** – These statistics provide information about the number of objects in your bucket inventory:
  + **Classifiable** – The total number of objects that Macie can analyze in the buckets.
  + **Total** – The total number of objects in the buckets, including objects that Macie can’t analyze.

In the preceding statistics, data and objects are *classifiable* if they use a supported Amazon S3 storage class and they have a file name extension for a supported file or storage format. You can detect sensitive data in the objects by using Macie. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).

Note that **Storage** and **Objects** statistics don't include data about objects in buckets that Macie isn't allowed to access. To identify buckets where this is the case, choose the **Access denied** statistic in the **Coverage issues** section of the dashboard.

### Automated discovery
<a name="discovery-asdd-results-s3-dashboard-sensitivity-statistics"></a>

This section captures the status and results of automated sensitive data discovery activities that Amazon Macie has performed thus far for your Amazon S3 data. The following image shows an example of the statistics that this section provides.

![\[The Automated discovery section of the dashboard. A chart and related fields contain example data.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-asdd.png)


Individual statistics in this section are as follows.

**Total buckets**  
The doughnut chart indicates the total number of buckets in your bucket inventory. The chart groups the buckets into categories based on each bucket's current sensitivity score:  
+ **Sensitive** (*red*) – The total number of buckets whose sensitivity score ranges from *51* through *100*.
+ **Not sensitive** (*blue*) – The total number of buckets whose sensitivity score ranges from *1* through *49*.
+ **Not yet analyzed** (*light gray*) – The total number of buckets whose sensitivity score is *50*.
+ **Classification error** (*dark gray*) – The total number of buckets whose sensitivity score is *-1*.
For details about the range of sensitivity scores and labels that Macie defines, see [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md).  
To review additional statistics for a group, hover over the group:  
+ **Buckets** – The total number of buckets.
+ **Publicly accessible** – The total number of buckets that allow the general public to have read or write access to the bucket.
+ **Classifiable bytes** – The total storage size of all the objects that Macie can analyze in the buckets. These objects use supported Amazon S3 storage classes and they have file name extensions for supported file or storage formats. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).
+ **Total bytes** – The total storage size of all the buckets.
In the preceding statistics, storage size values are based on the storage size of the latest version of each object in the buckets. If any of the objects are compressed files, these values don’t reflect the actual size of those files after they’re decompressed.

**Sensitive**  
This area indicates the total number of buckets that currently have a sensitivity score ranging from *51* through *100*. Within this group, **Publicly accessible** indicates the total number of buckets that also allow the general public to have read or write access to the bucket.

**Not sensitive**  
This area indicates the total number of buckets that currently have a sensitivity score ranging from *1* through *49*. Within this group, **Publicly accessible** indicates the total number of buckets that also allow the general public to have read or write access to the bucket.

To determine and calculate values for **Publicly accessible** statistics, Macie analyzes a combination of account- and bucket-level settings for each bucket, such as the block public access settings for the account and bucket, and the bucket policy for the bucket. Macie does this for up to 10,000 buckets for an account. For more information, see [How Macie monitors Amazon S3 data security](monitoring-s3-how-it-works.md).

Note that statistics in the **Automated discovery** section don't include the results of sensitive data discovery jobs that you create and run.

### Coverage issues
<a name="discovery-asdd-results-s3-dashboard-coverage-statistics"></a>

In this section, statistics indicate whether certain types of issues prevented Amazon Macie from analyzing objects in individual S3 buckets. The following image shows an example of the statistics that this section provides.

![\[The Coverage issues section of the dashboard. Each field contains example data.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-summary-dashboard-coverage.png)


Individual statistics in this section are:
+ **Access denied** – The total number of buckets that Macie isn't allowed to access. Macie can't analyze any objects in these buckets. The buckets' permissions settings prevent Macie from accessing the buckets and the buckets' objects.
+ **Classification error** – The total number of buckets that Macie hasn't analyzed yet due to object-level classification errors. Macie tried to analyze one or more objects in these buckets. However, Macie couldn't analyze the objects due to issues with object-level permissions settings, object content, or quotas.
+ **Unclassifiable** – The total number of buckets that don't store any classifiable objects. Macie can't analyze any objects in these buckets. All the objects use Amazon S3 storage classes that Macie doesn't support, or they have file name extensions for file or storage formats that Macie doesn't support. 

Choose the value for a statistic to display additional details and, as applicable, remediation guidance. If you remediate access issues and classification errors, you can increase coverage of your Amazon S3 data during subsequent analysis cycles. For more information, see [Assessing automated sensitive data discovery coverage](discovery-coverage.md).

Note that statistics in the **Coverage issues** section don't explicitly include data for sensitive data discovery jobs that you create and run. However, remediating coverage issues that affect automated sensitive data discovery is likely to also increase coverage by jobs that you subsequently run.

# Visualizing data sensitivity with the S3 buckets map
<a name="discovery-asdd-results-s3-inventory-map"></a>

On the Amazon Macie console, the **S3 buckets** heat map provides an interactive, visual representation of data sensitivity across your Amazon Simple Storage Service (Amazon S3) data estate. It captures the results of automated sensitive data discovery activities that Macie has performed thus far for your Amazon S3 data in the current AWS Region.

If you're the Macie administrator for an organization, the map includes results for S3 buckets that your member accounts own. The data is grouped by AWS account and sorted by account ID, as shown in the following image.

![\[The S3 buckets map. It shows different colored squares, one for each bucket, grouped by account.\]](http://docs.aws.amazon.com/macie/latest/user/images/scrn-s3-map-small.png)


The map displays data for up to 100 S3 buckets for each account. To display data for all buckets, you can [switch to table view](discovery-asdd-results-s3-inventory-table.md) and review the data in tabular format instead.

To display the map, choose **S3 buckets** in the navigation pane on the console. Then choose map (![\[The map view button, which is a button that displays four black squares.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-s3-map-view.png)) at the top of the page. The map is available only if automated sensitive data discovery is currently enabled. It doesn't include the results of sensitive data discovery jobs that you create and run.

**Topics**
+ [Interpreting data in the S3 buckets map](#discovery-asdd-results-s3-inventory-map-legend)
+ [Interacting with the S3 buckets map](#discovery-asdd-results-s3-inventory-map-use)

## Interpreting data in the S3 buckets map
<a name="discovery-asdd-results-s3-inventory-map-legend"></a>

In the **S3 buckets** map, each square represents an S3 general purpose bucket in your bucket inventory. The color of a square represents a bucket's current sensitivity score, which measures the intersection of two primary dimensions: the amount of sensitive data that Macie has found in the bucket, and the amount of data that Macie has analyzed in the bucket. The intensity of the color's hue represents where a score falls in a range of data sensitivity values, as shown in the following image.

![\[The color spectrum for sensitivity scores: blue hues for 1-49, red hues for 51-100, and gray for -1.\]](http://docs.aws.amazon.com/macie/latest/user/images/sensitivity-scoring-spectrum.png)


In general, you can interpret color and hue intensity as follows:
+ **Blue** – If a bucket's current sensitivity score ranges from *1* through *49*, the bucket's square is blue and the bucket's sensitivity label is **Not sensitive**. The intensity of the blue hue reflects the number of unique objects that Macie has analyzed in the bucket relative to the total number of unique objects in the bucket. A darker hue indicates a lower sensitivity score.
+ **No color** – If a bucket's current sensitivity score is *50*, the bucket's square isn't colored and the bucket's sensitivity label is **Not yet analyzed**. In addition, the square has a dashed border.
+ **Red** – If a bucket's current sensitivity score ranges from *51* through *100*, the bucket's square is red and the bucket's sensitivity label is **Sensitive**. The intensity of the red hue reflects the amount of sensitive data that Macie has found in the bucket. A darker hue indicates a higher sensitivity score.
+ **Gray** – If a bucket's current sensitivity score is *-1*, the bucket's square is dark gray and the bucket's sensitivity label is **Classification error**. Hue intensity doesn't vary.

For details about the range of sensitivity scores and labels that Macie defines, see [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md).

In the map, the square for an S3 bucket might also contain a symbol. The symbol indicates an error, issue, or other type of consideration that might affect your evaluation of a bucket's sensitivity. A symbol can also indicate a potential issue with the security of the bucket—for example, the bucket is publicly accessible. The following table lists the symbols that Macie uses to notify you of these cases.


| Symbol | Definition | Description | 
| --- | --- | --- | 
|  ![\[The Access denied symbol, which is a gray exclamation point.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-map-access-denied.png)  | Access denied |  Macie isn't allowed to access the bucket or the bucket's objects. Consequently, Macie can't analyze any objects in the bucket.  This issue typically occurs because a bucket has a restrictive bucket policy. For information about how to address this issue, see [Allowing Macie to access S3 buckets and objects](monitoring-restrictive-s3-buckets.md).  | 
|  ![\[The Publicly accessible symbol, which is a solid, gray, upward-facing arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-map-publicly-accessible.png)  | Publicly accessible |  The general public has read or write access to the bucket. To make this determination, Macie analyzes a combination of settings for each bucket, such as the block public access settings for the account and the bucket, and the bucket policy for the bucket. Macie can do this for up to 10,000 buckets for an account. For more information, see [How Macie monitors Amazon S3 data security](monitoring-s3-how-it-works.md).  | 
|  ![\[The Unclassifiable symbol, which is a gray question mark.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-map-unclassifiable.png)  | Unclassifiable |  Macie can't analyze any objects in the bucket. All the bucket's objects use Amazon S3 storage classes that Macie doesn't support, or they have file name extensions for file or storage formats that Macie doesn't support. For Macie to analyze an object, the object must use a supported storage class and have a file name extension for a supported file or storage format. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).  | 
|  ![\[The Zero bytes symbol, which is the number zero.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-map-zero-bytes.png)  | Zero bytes |  The bucket doesn't store any objects for Macie to analyze. The bucket is empty or all the objects in the bucket contain zero (0) bytes of data.  | 

## Interacting with the S3 buckets map
<a name="discovery-asdd-results-s3-inventory-map-use"></a>

As you review the **S3 buckets** map, you can interact with it in different ways to reveal and evaluate additional data and details for individual accounts and buckets. Follow these steps to display the map and use various features that it provides. 

**To interact with the S3 buckets map**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **S3 buckets**. The **S3 buckets** page displays a map of your bucket inventory. If the page displays your inventory in tabular format instead, choose map (![\[The map view button, which is a button that displays four black squares.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-s3-map-view.png)) at the top of the page.

   By default, the map doesn't display data for buckets that are currently excluded from automated sensitive data discovery. If you're the Macie administrator for an organization, it also doesn't display data for accounts that automated sensitive data discovery is currently disabled for. To display this data, choose **X** in the **Is monitored by automated discovery** filter token below the filter box.

1. At the top of the page, optionally choose refresh (![\[The refresh button, which is a button that displays an empty blue circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-data.png)) to retrieve the latest bucket metadata from Amazon S3.

1. In the **S3 buckets** map, do any of the following:
   + To determine how many buckets have a specific sensitivity label, refer to the colored badges immediately below an AWS account ID. The badges display aggregated bucket counts, broken down by sensitivity label.

     For example, the red badge reports the total number of buckets that are owned by the account and have the **Sensitive** label. The sensitivity score for these buckets ranges from *51* through *100*. The blue badge reports the total number of buckets that are owned by the account and have the **Not sensitive** label. The sensitivity score for these buckets ranges from *1* through *49*.
   + To review a subset of information about a bucket, hover over the bucket's square. A popover displays the bucket's name and current sensitivity score.

     The popover also displays the total number of objects that Macie can analyze in the bucket and the total storage size of the latest version of those objects. These objects are *classifiable*. They use supported Amazon S3 storage classes and they have file name extensions for supported file or storage formats. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).
   + To filter the map and display only those buckets that have a specific value for a field, place your cursor in the filter box, and then add a filter condition for the field. Macie applies the condition's criteria and displays the condition below the filter box. To further refine the results, add filter conditions for additional fields. For more information, see [Filtering your S3 bucket inventory](monitoring-s3-inventory-filter.md).
   + To drill down and display only those buckets that are owned by a particular account, choose the account ID for the account. Macie opens a new tab that filters and displays data only for that account.

1. To review data sensitivity statistics and other information for a particular bucket, choose the bucket's square. Then refer to the details panel. For information about these details, see [Reviewing data sensitivity details for S3 buckets](discovery-asdd-results-s3-inventory-details.md).
**Tip**  
On the **Bucket details** tab of the panel, you can pivot and drill down on many of the fields. To show buckets that have the same value for a field, choose ![\[The zoom in icon, which is a magnifying glass that has a plus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-plus-sign.png) in the field. To show buckets that have other values for a field, choose ![\[The zoom out icon, which is a magnifying glass that has a minus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-minus-sign.png) in the field.

# Assessing data sensitivity with the S3 buckets table
<a name="discovery-asdd-results-s3-inventory-table"></a>

To review summary information for your Amazon Simple Storage Service (Amazon S3) buckets, you can use the **S3 buckets** table on the Amazon Macie console. By using the table, you can review and analyze an inventory of your general purpose buckets in the current AWS Region, and drill down to review detailed information and statistics for individual buckets. If you're the Macie administrator for an organization, the table includes information about buckets that your member accounts own. If you prefer to access and query the data programmatically, you can use the [DescribeBuckets](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) operation of the Amazon Macie API. 

On the console, you can sort and filter the table to customize your view. You can also export data from the table to a comma-separated values (CSV) file. If you choose an S3 bucket in the table, the details panel displays additional information about the bucket. This includes details and statistics for settings and metrics that provide insight into the security and privacy of the bucket’s data. If automated sensitive data discovery is enabled, it also includes data that captures the results of automated discovery activities that Macie has performed thus far for the bucket.

**To assess data sensitivity by using the S3 buckets table**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **S3 buckets**. The **S3 buckets** page displays your bucket inventory.

   By default, the page doesn't display data for buckets that are currently excluded from automated sensitive data discovery. If you're the Macie administrator for an organization, it also doesn't display data for accounts that automated sensitive data discovery is currently disabled for. To display this data, choose **X** in the **Is monitored by automated discovery** filter token below the filter box.

1. Choose table (![\[The table view button, which is a button that displays three black horizontal lines.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-s3-table-view.png)) at the top of the page. Macie displays the number of buckets in your inventory and a table of the buckets.

1. To retrieve the latest bucket metadata from Amazon S3, choose refresh (![\[The refresh button, which is a button that displays an empty blue circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-data.png)) at the top of the page.

   If the information icon (![\[The information icon, which is a blue circle that has a lowercase letter i in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-info-blue.png)) appears next to any bucket names, we recommend that you do this. This icon indicates that a bucket was created during the past 24 hours, possibly after Macie last retrieved bucket and object metadata from Amazon S3 as part of the [daily refresh cycle](monitoring-s3-how-it-works.md#monitoring-s3-how-it-works-data-refresh).

1. In the **S3 buckets** table, review summary information about each bucket in your inventory:
   + **Sensitivity** – The bucket's current sensitivity score. For information about the range of sensitivity scores that Macie defines, see [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md).
   + **Bucket** – The name of the bucket.
   + **Account** – The account ID for the AWS account that owns the bucket.
   + **Classifiable objects** – The total number of objects that Macie can analyze to detect sensitive data in the bucket.
   + **Classifiable size** – The total storage size of all the objects that Macie can analyze to detect sensitive data in the bucket.

     This value doesn’t reflect the actual size of any compressed objects after they're decompressed. Also, if versioning is enabled for the bucket, this value is based on the storage size of the latest version of each object in the bucket.
   + **Monitored by job** – Whether you configured any sensitive data discovery jobs to periodically analyze objects in the bucket on a daily, weekly, or monthly basis.

     If the value for this field is *Yes*, the bucket is explicitly included in a periodic job or the bucket matched the criteria for a periodic job within the past 24 hours. In addition, the status of at least one of those jobs is not *Cancelled*. Macie updates this data on a daily basis.
   + **Latest job run** – If you configured any one-time or periodic sensitive data discovery jobs to analyze objects in the bucket, this field indicates the most recent date and time when one of those jobs started to run. Otherwise, a dash (–) appears in this field. 

   In the preceding data, objects are *classifiable* if they use a supported Amazon S3 storage class and they have a file name extension for a supported file or storage format. You can detect sensitive data in the objects by using Macie. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).

1. To analyze your inventory by using the table, do any of the following:
   + To sort the table by a specific field, choose the column heading for the field. To change the sort order, choose the column heading again.
   + To filter the table and display only those buckets that have a specific value for a field, place your cursor in the filter box, and then add a filter condition for the field. To further refine the results, add filter conditions for additional fields. For more information, see [Filtering your S3 bucket inventory](monitoring-s3-inventory-filter.md).
   + To review data sensitivity statistics and other information for a particular bucket, choose the bucket's name. Then refer to the details panel. For information about these details, see [Reviewing S3 bucket details](discovery-asdd-results-s3-inventory-details.md).
**Tip**  
On the **Bucket details** tab of the panel, you can pivot and drill down on many of the fields. To show buckets that have the same value for a field, choose ![\[The zoom in icon, which is a magnifying glass that has a plus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-plus-sign.png) in the field. To show buckets that have other values for a field, choose ![\[The zoom out icon, which is a magnifying glass that has a minus sign in it.\]](http://docs.aws.amazon.com/macie/latest/user/images/icon-magnifying-glass-minus-sign.png) in the field.

1. To export data from the table to a CSV file, select the checkbox for each row to export, or select the checkbox in the selection column heading to select all rows. Then choose **Export to CSV** at the top of the page. You can export up to 50,000 rows from the table. 

1. To perform deeper, more immediate analysis of objects in one or more buckets, select the checkbox for each bucket. Then choose **Create job**. For more information, see [Creating a sensitive data discovery job](discovery-jobs-create.md).

# Reviewing data sensitivity details for S3 buckets
<a name="discovery-asdd-results-s3-inventory-details"></a>

As automated sensitive data discovery progresses, you can review detailed results in statistics and other information that Amazon Macie provides about each of your Amazon Simple Storage Service (Amazon S3) buckets. If you're the Macie administrator for an organization, this includes buckets that your member accounts own.

The statistics and information include details that provide insight into the security and privacy of an S3 bucket’s data. They also capture the results of automated sensitive data discovery activities that Macie has performed thus far for a bucket. For example, you can find a list of objects that Macie has analyzed in a bucket. You can also find a breakdown of the types and number of occurrences of sensitive data that Macie has found in a bucket. Note that this data doesn't include the results of sensitive data discovery jobs that you create and run.

Macie automatically recalculates and updates statistics and details for your S3 buckets while it performs automated sensitive data discovery. For example:
+ If Macie doesn't find sensitive data in an S3 object, Macie decreases the bucket's sensitivity score and updates the bucket's sensitivity label as necessary. Macie also adds the object to the list of objects that it selected for analysis.
+ If Macie finds sensitive data in an S3 object, Macie adds those occurrences to the breakdown of sensitive data types that Macie has found in the bucket. Macie also increases the bucket's sensitivity score and updates the bucket's sensitivity label as necessary. In addition, Macie adds the object to the list of objects that it selected for analysis. These tasks are in addition to creating a sensitive data finding for the object.
+ If Macie finds sensitive data in an S3 object that's subsequently changed or deleted, Macie removes sensitive data occurrences for the object from the bucket's breakdown of sensitive data types. Macie also decreases the bucket's sensitivity score and updates the bucket's sensitivity label as necessary. In addition, Macie removes the object from the list of objects that it selected for analysis.
+ If Macie attempts to analyze an S3 object but an issue or error prevents analysis, Macie adds the object to the list of objects that it selected for analysis, and indicates that it wasn't able to analyze the object.

If you're the Macie administrator for an organization or you have a standalone Macie account, you can optionally use these details to assess and adjust certain automated discovery settings for an S3 bucket. For example, you can include or exclude specific types of sensitive data from a bucket's score. For more information, see [Adjusting sensitivity scores for S3 buckets](discovery-asdd-s3bucket-manage.md).

**To review data sensitivity details for an S3 bucket**  
To review data sensitivity and other details for an S3 bucket, you can use the Amazon Macie console or the Amazon Macie API. On the console, the details panel provides centralized access to this information. With the API, you can retrieve and process the data programmatically.

------
#### [ Console ]

Follow these steps to review data sensitivity and other details for an S3 bucket by using the Amazon Macie console.

**To review the details for an S3 bucket**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **S3 buckets**. The **S3 buckets** page displays an interactive map of your bucket inventory. Optionally choose table (![\[The table view button, which is a button that displays three black horizontal lines.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-s3-table-view.png)) at the top of the page to display your inventory in tabular format instead.

   By default, the page doesn't display data for buckets that are currently excluded from automated sensitive data discovery. If you're the Macie administrator for an organization, it also doesn't display data for accounts that automated sensitive data discovery is currently disabled for. To display this data, choose **X** in the **Is monitored by automated discovery** filter token below the filter box.

1. To retrieve the latest bucket metadata from Amazon S3, choose refresh (![\[The refresh button, which is a button that displays an empty blue circle with an arrow.\]](http://docs.aws.amazon.com/macie/latest/user/images/btn-refresh-data.png)) at the top of the page.

1. Choose the bucket whose details you want to review. The details panel displays data sensitivity statistics and other information about the bucket.

The top of the panel shows general information about the bucket: the bucket's name, the account ID for the AWS account that owns the bucket, and the bucket's current sensitivity score. If you're a Macie administrator or you have a standalone Macie account, it also provides options for changing certain automated discovery settings for the bucket. Additional settings and information are organized into the following tabs:

[Sensitivity](#discovery-asdd-results-s3-inventory-sensitivity-details) \$1 [Bucket details](#discovery-asdd-results-s3-inventory-bucket-details) \$1 [Object samples](#discovery-asdd-results-s3-inventory-sample-details) \$1 [Sensitive data discovery](#discovery-asdd-results-s3-inventory-sdd-details)

Individual settings and information on each tab are as follows.

**Sensitivity**  
This tab shows the bucket's current sensitivity score, ranging from *-1* to *100*. For information about the range of sensitivity scores that Macie defines, see [Sensitivity scoring for S3 buckets](discovery-scoring-s3.md).  
The tab also provides a breakdown of the types of sensitive data that Macie has found in the bucket's objects, and the number of occurrences of each type:  
+ **Sensitive data type** – The unique identifier (ID) for the managed data identifier that detected the data, or the name of the custom data identifier that detected the data.

  A managed data identifier's ID describes the type of sensitive data that it's designed to detect—for example, **USA\$1PASSPORT\$1NUMBER** for US passport numbers. For details about each managed data identifier, see [Using managed data identifiers](managed-data-identifiers.md).
+ **Count** – The total number of occurrences of the data that the managed or custom data identifier detected.
+ **Scoring status** – This field appears if you're a Macie administrator or you have a standalone Macie account. It specifies whether occurrences of the data are included or excluded from the bucket's sensitivity score.

  If Macie calculates the bucket's score, you can adjust the calculation by including or excluding specific types of sensitive data from the score: select the checkbox for the identifier that detected the sensitive data to include or exclude, and then choose an option on the **Actions** menu. For more information, see [Adjusting sensitivity scores for S3 buckets](discovery-asdd-s3bucket-manage.md).
If Macie hasn't found sensitive data in objects that the bucket currently stores, this section shows the **No detections found** message.  
Note that the **Sensitivity** tab doesn't include data for objects that were changed or deleted after Macie analyzed them. If objects are changed or deleted after analysis, Macie automatically recalculates and updates the appropriate statistics and data to exclude the objects.

**Bucket details**  
This tab provides details about the bucket's settings, including data security and privacy settings. For example, you can review breakdowns of the bucket’s public access settings, and determine whether the bucket replicates objects or is shared with other AWS accounts.  
Of special note, the **Last updated** field indicates when Macie most recently retrieved metadata from Amazon S3 for the bucket or the bucket’s objects. The **Latest automated discovery run** field indicates when Macie most recently analyzed objects in the bucket while performing automated sensitive data discovery. If this analysis hasn't occurred, a dash (–) appears in this field.  
The tab also provides object-level statistics that can help you assess how much data Macie can analyze in the bucket. It also indicates whether you configured any sensitive data discovery jobs to analyze objects in the bucket. If you have, you can access details about the job that ran most recently and then optionally display any findings that the job produced.  
In certain cases, this tab might not include all the details of a bucket. This can occur if you store more than 10,000 buckets in Amazon S3. Macie maintains complete inventory data for only 10,000 buckets for an account—the 10,000 buckets that were most recently created or changed. Macie can, however, analyze objects in buckets that exceed this quota. To review additional details for the buckets, use Amazon S3.  
For additional details about the information on this tab, see [Reviewing the details of S3 buckets](monitoring-s3-inventory-review.md#monitoring-s3-inventory-view-details).

**Object samples**  
This tab lists objects that Macie selected for analysis while performing automated sensitive data discovery for the bucket. Optionally choose an object's name to open the Amazon S3 console and display the object's properties.  
The list includes data for up to 100 objects. The list is populated based on the value for the **Object sensitivity** field: **Sensitive**, followed by **Not Sensitive**, followed by objects that Macie wasn't able to analyze.  
In the list, the **Object sensitivity** field indicates whether Macie found sensitive data in an object:  
+ **Sensitive** – Macie found at least one occurrence of sensitive data in the object.
+ **Not sensitive** – Macie didn't find sensitive data in the object.
+ **–** (*dash*) – Macie wasn't able to complete its analysis of the object due to an issue or error.
The **Classification result** field indicates whether Macie was able to analyze an object:  
+ **Complete** – Macie completed its analysis of the object.
+ **Partial** – Macie analyzed only a subset of data in the object due to an issue or error. For example, the object is an archive file that contains files in an unsupported format.
+ **Skipped** – Macie wasn't able to analyze any data in the object due to an issue or error. For example, the object is encrypted with a key that Macie isn't allowed to use.
Note that the list doesn't include objects that were changed or deleted after Macie analyzed or attempted to analyze them. Macie automatically removes an object from the list if the object is subsequently changed or deleted.

**Sensitive data discovery**  
This tab provides aggregated, automated sensitive data discovery statistics for the bucket:  
+ **Analyzed bytes** – The total amount of data, in bytes, that Macie has analyzed in the bucket.
+ **Classifiable bytes** – The total storage size, in bytes, of all the objects that Macie can analyze in the bucket. These objects use supported Amazon S3 storage classes and they have file name extensions for supported file or storage formats. For more information, see [Supported storage classes and formats](discovery-supported-storage.md).
+ **Total detections** – The total number of occurrences of sensitive data that Macie has found in the bucket. This includes occurrences that are currently suppressed by the sensitivity scoring settings for the bucket.
The **Objects analyzed** chart indicates the total number of objects that Macie has analyzed in the bucket. It also provides a visual representation of the number of objects that Macie did or didn't find sensitive data in. The legend below the chart shows a breakdown of these results:  
+ **Sensitive objects** (*red*) – The total number of objects that Macie found at least one occurrence of sensitive data in.
+ **Not sensitive objects** (*blue*) – The total number of objects that Macie didn't find sensitive data in.
+ **Objects skipped** (*dark gray*) – The total number of objects that Macie wasn't able to analyze due to an issue or error.
The area below the chart's legend provides a breakdown of cases where Macie wasn't able to analyze objects because certain types of permissions issues or cryptographic errors occurred:  
+ **Skipped: Invalid encryption** – The total number of objects that are encrypted with customer-provided keys. Macie can't access these keys.
+ **Skipped: Invalid KMS** – The total number of objects that are encrypted with AWS Key Management Service (AWS KMS) keys that are no longer available. These objects are encrypted with AWS KMS keys that were disabled, are scheduled for deletion, or were deleted. Macie can't use these keys.
+ **Skipped: Permission denied** – The total number of objects that Macie isn't allowed to access due to the permissions settings for the object, or the permissions settings for the key that was used to encrypt the object.
For details about these and other types of issues and errors that can occur, see [Remediating coverage issues](discovery-coverage-remediate.md). If you remediate the issues and errors, you can increase coverage of the bucket's data during subsequent analysis cycles.  
Statistics on the **Sensitive data discovery** tab don't include data for objects that were changed or deleted after Macie analyzed or attempted to analyze them. If objects are changed or deleted after Macie analyzes or attempts to analyze them, Macie automatically recalculates these statistics to exclude the objects.

------
#### [ API ]

To retrieve data sensitivity and other details for an S3 bucket programmatically, you have several options. The appropriate option depends on the details that you want to retrieve:
+ To retrieve a bucket's current sensitivity score and aggregated analysis statistics, use the [GetResourceProfile](https://docs.aws.amazon.com/macie/latest/APIReference/resource-profiles.html) operation. Or, if you're using the AWS Command Line Interface (AWS CLI), run the [get-resource-profile](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-resource-profile.html) command. The statistics include data such as the number of objects that Macie has analyzed, and the number of objects that Macie has found sensitive data in.
+ To retrieve a breakdown of the types and amount of sensitive data that Macie has found in a bucket, use the [ListResourceProfileDetections](https://docs.aws.amazon.com/macie/latest/APIReference/resource-profiles-detections.html) operation. Or, if you're using the AWS CLI, run the [list-resource-profile-detections](https://docs.aws.amazon.com/cli/latest/reference/macie2/list-resource-profile-detections.html) command. The breakdown also provides details about the managed or custom data identifier that detected each type of sensitive data.
+ To retrieve a list of up to 100 objects that Macie selected from a bucket for analysis, use the [ListResourceProfileArtifacts](https://docs.aws.amazon.com/macie/latest/APIReference/resource-profiles-artifacts.html) operation. Or, if you're using the AWS CLI, run the [list-resource-profile-artifacts](https://docs.aws.amazon.com/cli/latest/reference/macie2/list-resource-profile-artifacts.html) command. For each object, the list specifies: the Amazon Resource Name (ARN) of the object, whether Macie completed its analysis of the object; and, whether Macie found sensitive data in the object.

In your request, use the `resourceArn` parameter to specify the ARN of the bucket to retrieve the details for. If you're using the AWS CLI, use the `resource-arn` parameter to specify the ARN.

For additional details about an S3 bucket, such as the bucket's public access settings, use the [DescribeBuckets](https://docs.aws.amazon.com/macie/latest/APIReference/datasources-s3.html) operation. If you're using the AWS CLI, run the [describe-buckets](https://docs.aws.amazon.com/cli/latest/reference/macie2/describe-buckets.html) command to retrieve these details. In your request, optionally use filter criteria to specify the name of the bucket. For more information and examples, see [Filtering your S3 bucket inventory](monitoring-s3-inventory-filter.md).

The following examples show how to use the AWS CLI to retrieve data sensitivity details for an S3 bucket. This first example retrieves the current sensitivity score and aggregated analysis statistics for a bucket.

```
$ aws macie2 get-resource-profile --resource-arn arn:aws:s3:::amzn-s3-demo-bucket
```

Where *arn:aws:s3:::amzn-s3-demo-bucket* is the ARN of the bucket. If the request succeeds, you receive output similar to the following:

```
{
    "profileUpdatedAt": "2024-11-21T15:44:46+00:00",
    "sensitivityScore": 83,
    "sensitivityScoreOverridden": false,
    "statistics": {
        "totalBytesClassified": 933599,
        "totalDetections": 3641,
        "totalDetectionsSuppressed": 0,
        "totalItemsClassified": 111,
        "totalItemsSensitive": 84,
        "totalItemsSkipped": 1,
        "totalItemsSkippedInvalidEncryption": 0,
        "totalItemsSkippedInvalidKms": 0,
        "totalItemsSkippedPermissionDenied": 0
    }
}
```

The next example retrieves a breakdown of the types of sensitive data that Macie has found in an S3 bucket, and the number of occurrences of each type. The breakdown also specifies which managed data identifier or custom data identifier detected the data. It also indicates whether the occurrences are currently excluded (`suppressed`) from the bucket's sensitivity score, if the score is calculated automatically by Macie.

```
$ aws macie2 list-resource-profile-detections --resource-arn arn:aws:s3:::amzn-s3-demo-bucket
```

Where *arn:aws:s3:::amzn-s3-demo-bucket* is the ARN of the bucket. If the request succeeds, you receive output similar to the following:

```
{
    "detections": [
        {
            "count": 8,
            "id": "AWS_CREDENTIALS",
            "name": "AWS_CREDENTIALS",
            "suppressed": false,
            "type": "MANAGED"
        },
        {
            "count": 1194,
            "id": "CREDIT_CARD_NUMBER",
            "name": "CREDIT_CARD_NUMBER",
            "suppressed": false,
            "type": "MANAGED"
        },
        {
            "count": 1194,
            "id": "CREDIT_CARD_SECURITY_CODE",
            "name": "CREDIT_CARD_SECURITY_CODE",
            "suppressed": false,
            "type": "MANAGED"
        },
        {
            "arn": "arn:aws:macie2:us-east-1:123456789012:custom-data-identifier/3293a69d-4a1e-4a07-8715-208ddexample",
            "count": 8,
            "id": "3293a69d-4a1e-4a07-8715-208ddexample",
            "name": "Employee IDs with keyword",
            "suppressed": false,
            "type": "CUSTOM"
        },
        {
            "count": 1237,
            "id": "USA_SOCIAL_SECURITY_NUMBER",
            "name": "USA_SOCIAL_SECURITY_NUMBER",
            "suppressed": false,
            "type": "MANAGED"
        }
    ]
}
```

This example retrieves a list of objects that Macie selected from an S3 bucket for analysis. For each object, the list also indicates whether Macie completed its analysis of the object, and whether Macie found sensitive data in the object.

```
$ aws macie2 list-resource-profile-artifacts --resource-arn arn:aws:s3:::amzn-s3-demo-bucket
```

Where *arn:aws:s3:::amzn-s3-demo-bucket* is the ARN of the bucket. If the request succeeds, you receive output similar to the following:

```
{
    "artifacts": [
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object1.csv",
            "classificationResultStatus": "COMPLETE",
            "sensitive": true
        },
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object2.xlsx",
            "classificationResultStatus": "COMPLETE",
            "sensitive": true
        },
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object3.json",
            "classificationResultStatus": "COMPLETE",
            "sensitive": true
        },
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object4.pdf",
            "classificationResultStatus": "COMPLETE",
            "sensitive": true
        },
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object5.zip",
            "classificationResultStatus": "PARTIAL",
            "sensitive": true
        },
        {
            "arn": "arn:aws:s3:::amzn-s3-demo-bucket/amzn-s3-demo-object6.vssx",
            "classificationResultStatus": "SKIPPED"
        }
    ]
}
```

------

# Analyzing findings from automated sensitive data discovery
<a name="discovery-asdd-results-s3-findings"></a>

When Amazon Macie performs automated sensitive data discovery, it creates a sensitive data finding for each Amazon Simple Storage Service (Amazon S3) object that it finds sensitive data in. A *sensitive data finding* is a detailed report of sensitive data that Macie found in an S3 object. A finding doesn't include the sensitive data that Macie found. Instead, it provides information that you can use for further investigation and remediation as necessary.

Each sensitive data finding provides a severity rating and details such as:
+ The date and time when Macie found the sensitive data.
+ The category and types of sensitive data that Macie found.
+ The number of occurrences of each type of sensitive data that Macie found.
+ How Macie found the sensitive data, automated sensitive data discovery or a sensitive data discovery job.
+ The name, public access settings, encryption type, and other information about the affected S3 bucket and object.

Depending on the affected S3 object's file type or storage format, the details can also include the location of as many as 15 occurrences of the sensitive data that Macie found.

Macie stores sensitive data findings for 90 days. You can access them by using the Amazon Macie console or the Amazon Macie API. You can also monitor and process findings by using other applications, services, and systems. For more information, see [Reviewing and analyzing findings](findings.md).

**To analyze findings produced by automated sensitive data discovery**  
To identify and analyze findings that Macie created while performing automated sensitive data discovery, you can filter your findings. With filters, you use specific attributes of findings to build custom views and queries for findings. To filter findings, you can use the Amazon Macie console or submit queries programmatically using the Amazon Macie API. For more information, see [Filtering findings](findings-filter-overview.md).

**Note**  
If your account is part of an organization that centrally manages multiple Macie accounts, only the Macie administrator for your organization has direct access to findings that automated sensitive data discovery produces for accounts in your organization. If you have a member account and want to review the findings for your account, contact your Macie administrator.

------
#### [ Console ]

Follow these steps to identify and analyze the findings by using the Amazon Macie console.

**To analyze findings produced by automated discovery**

1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).

1. In the navigation pane, choose **Findings**.

1. To display findings that were suppressed by a [suppression rule](findings-suppression.md), change the **Finding status** setting. Choose **All** to display both suppressed and unsuppressed findings, or choose **Archived** to display only suppressed findings. To then hide suppressed findings again, choose **Current**.

1. Place your cursor in the **Filter criteria** box. In the list of fields that appears, choose **Origin type**.

   This field specifies how Macie found the sensitive data that produced a finding, automated sensitive data discovery or a sensitive data discovery job. To find this field in the list of filter fields, you can browse the complete list, or enter part of the field's name to narrow the list of fields.

1. Select **AUTOMATED\$1SENSITIVE\$1DATA\$1DISCOVERY** as the value for the field, and then choose **Apply**. Macie applies the filter criteria and adds the condition to a filter token in the **Filter criteria** box.

1. To refine the results, add filter conditions for additional fields—for example, **Created at** for the time range when a finding was created, **S3 bucket name** for the name of an affected bucket, or **Sensitive data detection type** for the type of sensitive that was detected and produced a finding.

If you want to subsequently use this set of conditions again, you can save it as a filter rule. To do this, choose **Save rule** in the **Filter criteria** box. Then enter a name and, optionally, a description for the rule. When you finish, choose **Save**.

------
#### [ API ]

To identify and analyze the findings programmatically, specify filter criteria in queries that you submit using the [ListFindings](https://docs.aws.amazon.com/macie/latest/APIReference/findings.html) or [GetFindingStatistics](https://docs.aws.amazon.com/macie/latest/APIReference/findings-statistics.html) operation of the Amazon Macie API. The **ListFindings** operation returns an array of finding IDs, one ID for each finding that matches the filter criteria. You can then use those IDs to retrieve the details of each finding. The **GetFindingStatistics** operation returns aggregated statistical data about all the findings that match the filter criteria, grouped by a field that you specify in your request. For more information about filtering findings programmatically, see [Filtering findings](findings-filter-overview.md).

In the filter criteria, include a condition for the `originType` field. This field specifies how Macie found the sensitive data that produced a finding, automated sensitive data discovery or a sensitive data discovery job. If automated sensitive data discovery produced a finding, the value for this field is `AUTOMATED_SENSITIVE_DATA_DISCOVERY`.

To identify and analyze the findings by using the AWS Command Line Interface (AWS CLI), run the [list-findings](https://docs.aws.amazon.com/cli/latest/reference/macie2/list-findings.html) or [get-finding-statistics](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-finding-statistics.html) command. The following examples use the **list-findings** command to retrieve finding IDs for all high-severity findings that automated sensitive data discovery produced in the current AWS Region.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.

```
$ aws macie2 list-findings \
--finding-criteria '{"criterion":{"classificationDetails.originType":{"eq":["AUTOMATED_SENSITIVE_DATA_DISCOVERY"]},"severity.description":{"eq":["High"]}}}'
```

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

```
C:\> aws macie2 list-findings ^
--finding-criteria={\"criterion\":{\"classificationDetails.originType\":{\"eq\":[\"AUTOMATED_SENSITIVE_DATA_DISCOVERY\"]},\"severity.description\":{\"eq\":[\"High\"]}}}
```

Where:
+ `classificationDetails.originType` specifies the JSON name of the **Origin type** field, and:
  + `eq` specifies the *equals* operator.
  + `AUTOMATED_SENSITIVE_DATA_DISCOVERY` is an enumerated value for the field.
+ *`severity.description`* specifies the JSON name of the **Severity** field, and:
  + *`eq`* specifies the *equals* operator.
  + *`High`* is an enumerated value for the field.

If the request succeeds, Macie returns a `findingIds` array. The array lists the unique identifier for each finding that matches the filter criteria, as shown in the following example.

```
{
    "findingIds": [
        "1f1c2d74db5d8caa76859ec52example",
        "6cfa9ac820dd6d55cad30d851example",
        "702a6fd8750e567d1a3a63138example",
        "826e94e2a820312f9f964cf60example",
        "274511c3fdcd87010a19a3a42example"
    ]
}
```

If no findings match the filter criteria, Macie returns an empty `findingIds` array.

```
{
    "findingIds": []
}
```

------

# Accessing discovery results from automated sensitive data discovery
<a name="discovery-asdd-results-s3-sddrs"></a>

When Amazon Macie performs automated sensitive data discovery, it creates an analysis record for each Amazon Simple Storage Service (Amazon S3) object that it selects for analysis. These records, referred to as *sensitive data discovery results*, log details about the analysis that Macie performs on individual S3 objects. This includes objects that Macie doesn't find sensitive data in, and objects that Macie can't analyze due to errors or issues such as permissions settings or use of an unsupported file or storage format. Sensitive data discovery results provide you with analysis records that can be helpful for data privacy and protection audits or investigations.

If Macie finds sensitive data in an S3 object, the sensitive data discovery result provides information about the sensitive data that Macie found. The information includes the same types of details that a sensitive data finding provides. It provides additional information too, such as the location of as many as 1,000 occurrences of each type of sensitive data that Macie found. For example: 
+ The column and row number for a cell or field in a Microsoft Excel workbook, CSV file, or TSV file
+ The path to a field or array in a JSON or JSON Lines file
+ The line number for a line in a non-binary text file other than a CSV, JSON, JSON Lines, or TSV file—for example, an HTML, TXT, or XML file
+ The page number for a page in an Adobe Portable Document Format (PDF) file
+ The record index and the path to a field in a record in an Apache Avro object container or Apache Parquet file

If the affected S3 object is an archive file, such as a .tar or .zip file, the sensitive data discovery result also provides detailed location data for occurrences of sensitive data in individual files that Macie extracted from the archive. Macie doesn’t include this information in sensitive data findings for archive files. To report location data, sensitive data discovery results use a [standardized JSON schema](findings-locate-sd-schema.md).

**Note**  
As is the case with sensitive data findings, sensitive data discovery results don't include sensitive data that Macie finds in S3 objects. Instead, they provide analysis details that can be helpful for audits or investigations.

Macie stores your sensitive data discovery results for 90 days. You can’t access them directly on the Amazon Macie console or with the Amazon Macie API. Instead, you configure Macie to encrypt and store them in an S3 bucket. The bucket can serve as a definitive, long-term repository for all of your sensitive data discovery results. To determine where this repository is for your account, choose **Discovery results** in the navigation pane on the Amazon Macie console. To do this programmatically, use the [GetClassificationExportConfiguration](https://docs.aws.amazon.com/macie/latest/APIReference/classification-export-configuration.html) operation of the Amazon Macie API. If you haven't configured this repository for your account, see [Storing and retaining sensitive data discovery results](discovery-results-repository-s3.md) to learn how.

After you configure Macie to store your sensitive data discovery results in an S3 bucket, Macie writes the results to JSON Lines (.jsonl) files, and it encrypts and adds those files to the bucket as GNU Zip (.gz) files. For automated sensitive data discovery, Macie adds the files to a folder named `automated-sensitive-data-discovery` in the bucket. You can then optionally access and query the results in that folder. If your account is part of an organization that centrally manages multiple Macie accounts, Macie adds the files to the `automated-sensitive-data-discovery` folder in the bucket for your Macie administrator's account.

Sensitive data discovery results adhere to a standardized schema. This can help you query, monitor, and process them by using other applications, services, and systems. For a detailed, instructional example of how you might query and use these results, see the following blog post on the *AWS Security Blog*: [How to query and visualize Macie sensitive data discovery results with Amazon Athena and Amazon Quick](https://aws.amazon.com/blogs/security/how-to-query-and-visualize-macie-sensitive-data-discovery-results-with-athena-and-quicksight/). For samples of Athena queries that you can use to analyze the results, visit the [Amazon Macie Results Analytics repository](https://github.com/aws-samples/amazon-macie-results-analytics) on GitHub. This repository also provides instructions for configuring Athena to retrieve and decrypt your results, and scripts for creating tables for the results.