AWS Macie Custom Data Identifier

This page shows how to write Terraform and CloudFormation for Macie Custom Data Identifier and write them securely.

aws_macie2_custom_data_identifier (Terraform)

The Custom Data Identifier in Macie can be configured in Terraform with the resource name aws_macie2_custom_data_identifier. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

macie.tf#L5
resource "aws_macie2_custom_data_identifier" "stripe_identifier" {
  name                   = "Stripe secret"
  regex                  = "STRIPE_SECRET"

  depends_on = [ aws_macie2_account.macie_account ]

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • regex - (Optional) The regular expression (regex) that defines the pattern to match. The expression can contain as many as 512 characters.
  • keywords - (Optional) An array that lists specific character sequences (keywords), one of which must be within proximity (maximum_match_distance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3 - 90 characters. Keywords aren't case sensitive.
  • ignore_words - (Optional) An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression is the same as any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4 - 90 characters. Ignore words are case sensitive.
  • name - (Optional) A custom name for the custom data identifier. The name can contain as many as 128 characters. If omitted, Terraform will assign a random, unique name. Conflicts with name_prefix.
  • name_prefix - (Optional) Creates a unique name beginning with the specified prefix. Conflicts with name.
  • description - (Optional) A custom description of the custom data identifier. The description can contain as many as 512 characters.
  • maximum_match_distance - (Optional) The maximum number of characters that can exist between text that matches the regex pattern and the character sequences specified by the keywords array. Macie includes or excludes a result based on the proximity of a keyword to text that matches the regex pattern. The distance can be 1 - 300 characters. The default value is 50.
  • tags - (Optional) A map of key-value pairs that specifies the tags to associate with the custom data identifier.

In addition to all arguments above, the following attributes are exported:

  • id - The unique identifier (ID) of the macie custom data identifier.
  • deleted - Specifies whether the custom data identifier was deleted. If you delete a custom data identifier, Amazon Macie doesn't delete it permanently. Instead, it soft deletes the identifier.
  • created_at - The date and time, in UTC and extended RFC 3339 format, when the Amazon Macie account was created.
  • arn - The Amazon Resource Name (ARN) of the custom data identifier.

Explanation in Terraform Registry

Provides a resource to manage an AWS Macie Custom Data Identifier.

AWS::Macie::CustomDataIdentifier (CloudFormation)

The CustomDataIdentifier in Macie can be configured in CloudFormation with the resource name AWS::Macie::CustomDataIdentifier. The following sections describe 8 examples of how to use the resource and its parameters.

Example Usage from GitHub

macie.yml#L28
  # Type: AWS::Macie::CustomDataIdentifier
  # DependsOn: "Session"
  # Properties:
  #     Description: # String
  #     IgnoreWords:
  #         - # String
macie_demo.yml#L21
    Type: "AWS::Macie::CustomDataIdentifier"
    Properties:
      Description: "Patient ID CDI (e.g., 034e9e3b-2def-4559-bb2a-7850888ae060)"
      Keywords:
        - "PATIENT"
      Name: "Patient ID"
macie_demo.yml#L21
    Type: "AWS::Macie::CustomDataIdentifier"
    Properties:
      Description: "Patient ID CDI (e.g., 034e9e3b-2def-4559-bb2a-7850888ae060)"
      Keywords:
        - "PATIENT"
      Name: "Patient ID"
product.template-ap-northeast-2.yaml#L12
    Type: AWS::Macie::CustomDataIdentifier
    Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-macie-customdataidentifier.html
    Properties:
      Name: !Ref 'Name'
      Regex: !Ref 'Regex'
Outputs:
product.template-ap-east-1.yaml#L12
    Type: AWS::Macie::CustomDataIdentifier
    Description: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-macie-customdataidentifier.html
    Properties:
      Name: !Ref 'Name'
      Regex: !Ref 'Regex'
Outputs:
MacieCustomDataIdentifierSpecification.json#L3
    "AWS::Macie::CustomDataIdentifier": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-macie-customdataidentifier.html",
      "Properties": {
        "Name": {
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-macie-customdataidentifier.html#cfn-macie-customdataidentifier-name",
          "UpdateType": "Immutable",
awsResouceIconMatches.json#L2218
        "resourceType": "AWS::Macie::CustomDataIdentifier",
        "filePath": null
      }
    ]
  },
  {
template.json#L2103
    "AWS::Macie::CustomDataIdentifier": {
      "Type": "AWS::Macie::CustomDataIdentifier",
      "Properties": {}
    },
    "AWS::ECS::TaskSet": {
      "Type": "AWS::ECS::TaskSet",

Parameters

Explanation in CloudFormation Registry

The AWS::Macie::CustomDataIdentifier resource is a set of criteria that you define to detect sensitive data in one or more data sources. Each identifier specifies a regular expression (regex) that defines a text pattern to match in the data. It can also specify character sequences, such as words and phrases, and a proximity rule that refine the analysis of a data source. By using custom data identifiers, you can tailor your analysis to meet your organization's specific needs and supplement the built-in, managed data identifiers that Amazon Macie provides.

A Session must exist for the account before you can create a CustomDataIdentifier. Use a DependsOn attribute to ensure that the Session is created before the other resources. For example, "DependsOn: Session".

Frequently asked questions

What is AWS Macie Custom Data Identifier?

AWS Macie Custom Data Identifier is a resource for Macie of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Macie Custom Data Identifier?

For Terraform, the rutkowskib/repository-security-macie source code example is useful. See the Terraform Example section for further details.

For CloudFormation, the comp9447-team4/soar, taakmara/macie-demo and garystafford/macie-demo source code examples are useful. See the CloudFormation Example section for further details.