CreateGraph - Amazon Detective


Creates a new behavior graph for the calling account, and sets that account as the master account. This operation is called by the account that is enabling Detective.

Before you try to enable Detective, make sure that your account has been enrolled in Amazon GuardDuty for at least 48 hours. If you do not meet this requirement, you cannot enable Detective. If you do meet the GuardDuty prerequisite, then when you make the request to enable Detective, it checks whether your data volume is within the Detective quota. If it exceeds the quota, then you cannot enable Detective.

The operation also enables Detective for the calling account in the currently selected Region. It returns the ARN of the new behavior graph.

CreateGraph triggers a process to create the corresponding data tables for the new behavior graph.

An account can only be the master account for one behavior graph within a Region. If the same account calls CreateGraph with the same master account, it always returns the same behavior graph ARN. It does not create a new behavior graph.

Request Syntax

POST /graph HTTP/1.1

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request does not have a request body.

Response Syntax

HTTP/1.1 200 Content-type: application/json { "GraphArn": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


The ARN of the new behavior graph.

Type: String

Pattern: ^arn:aws[-\w]{0,10}?:detective:[-\w]{2,20}?:\d{12}?:graph:[abcdef\d]{32}?$


For information about the errors that are common to all actions, see Common Errors.


The request attempted an invalid action.

HTTP Status Code: 409


The request was valid but failed because of a problem with the service.

HTTP Status Code: 500


This request cannot be completed for one of the following reasons.

  • The request would cause the number of member accounts in the behavior graph to exceed the maximum allowed. A behavior graph cannot have more than 1000 member accounts.

  • The request would cause the data rate for the behavior graph to exceed the maximum allowed.

  • Detective is unable to verify the data rate for the member account. This is usually because the member account is not enrolled in Amazon GuardDuty.

HTTP Status Code: 402



This example illustrates one usage of CreateGraph.

Sample Request

POST /graph HTTP/1.1 Host: Accept-Encoding: identity Content-Length: 0 Authorization: AUTHPARAMS X-Amz-Date: 20200122T193018Z User-Agent: aws-cli/1.14.29 Python/2.7.9 Windows/8 botocore/1.8.33


This example illustrates one usage of CreateGraph.

Sample Response

HTTP/1.1 200 OK Content-Type: application/json Content-Length: 94 Date: Wed, 22 Jan 2020 23:07:46 GMT x-amzn-RequestId: 397d0549-0092-11e8-a0ee-a7f9aa6e7572 Connection: Keep-alive { "GraphArn": "arn:aws:detective:us-east-1:111122223333:graph:027c7c4610ea4aacaf0b883093cab899" }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: