CreateMembers

CreateMembers is used to send invitations to accounts. For the organization behavior graph, the Detective administrator account uses CreateMembers to enable organization accounts as member accounts.

For invited accounts, CreateMembers sends a request to invite the specified AWS accounts to be member accounts in the behavior graph. This operation can only be called by the administrator account for a behavior graph.

CreateMembers verifies the accounts and then invites the verified accounts. The administrator can optionally specify to not send invitation emails to the member accounts. This would be used when the administrator manages their member accounts centrally.

For organization accounts in the organization behavior graph, CreateMembers attempts to enable the accounts. The organization accounts do not receive invitations.

The request provides the behavior graph ARN and the list of accounts to invite or to enable.

The response separates the requested accounts into two lists:

• The accounts that CreateMembers was able to process. For invited accounts, includes member accounts that are being verified, that have passed verification and are to be invited, and that have failed verification. For organization accounts in the organization behavior graph, includes accounts that can be enabled and that cannot be enabled.

• The accounts that CreateMembers was unable to process. This list includes accounts that were already invited to be member accounts in the behavior graph.

Request Syntax

POST /graph/members HTTP/1.1
Content-type: application/json

{
   "Accounts": [ 
      { 
         "AccountId": "string",
         "EmailAddress": "string"
      }
   ],
   "DisableEmailNotification": boolean,
   "GraphArn": "string",
   "Message": "string"
}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

Accounts

The list of AWS accounts to invite or to enable. You can invite or enable up to 50 accounts at a time. For each invited account, the account list contains the account identifier and the AWS account root user email address. For organization accounts in the organization behavior graph, the email address is not required.

Type: Array of Account objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: Yes

DisableEmailNotification

if set to true, then the invited accounts do not receive email notifications. By default, this is set to false, and the invited accounts receive email notifications.

Organization accounts in the organization behavior graph do not receive email notifications.

Type: Boolean

Required: No

GraphArn

The ARN of the behavior graph.

Type: String

Pattern: ^arn:aws[-\w]{0,10}?:detective:[-\w]{2,20}?:\d{12}?:graph:[abcdef\d]{32}?$

Required: Yes

Message

Customized message text to include in the invitation email message to the invited member accounts.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1000.

Required: No

Response Syntax

HTTP/1.1 200
Content-type: application/json

{
   "Members": [ 
      { 
         "AccountId": "string",
         "AdministratorId": "string",
         "DisabledReason": "string",
         "EmailAddress": "string",
         "GraphArn": "string",
         "InvitationType": "string",
         "InvitedTime": number,
         "MasterId": "string",
         "PercentOfGraphUtilization": number,
         "PercentOfGraphUtilizationUpdatedTime": number,
         "Status": "string",
         "UpdatedTime": number,
         "VolumeUsageInBytes": number,
         "VolumeUsageUpdatedTime": number
      }
   ],
   "UnprocessedAccounts": [ 
      { 
         "AccountId": "string",
         "Reason": "string"
      }
   ]
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Members

The set of member account invitation or enablement requests that Detective was able to process. This includes accounts that are being verified, that failed verification, and that passed verification and are being sent an invitation or are being enabled.

Type: Array of MemberDetail objects

UnprocessedAccounts

The list of accounts for which Detective was unable to process the invitation or enablement request. For each account, the list provides the reason why the request could not be processed. The list includes accounts that are already member accounts in the behavior graph.

Type: Array of UnprocessedAccount objects

Errors

For information about the errors that are common to all actions, see Common Errors.

InternalServerException

The request was valid but failed because of a problem with the service.

HTTP Status Code: 500

ResourceNotFoundException

The request refers to a nonexistent resource.

HTTP Status Code: 404

ServiceQuotaExceededException

This request cannot be completed for one of the following reasons.

• The request would cause the number of member accounts in the behavior graph to exceed the maximum allowed. A behavior graph cannot have more than 1200 member accounts.

• The request would cause the data rate for the behavior graph to exceed the maximum allowed.

• Detective is unable to verify the data rate for the member account. This is usually because the member account is not enrolled in Amazon GuardDuty.

HTTP Status Code: 402

ValidationException

The request parameters are invalid.

HTTP Status Code: 400

Examples

Example

This example illustrates one usage of CreateMembers.

Sample Request

PUT /graph/members HTTP/1.1
Host: api.detective.us-west-2.amazonaws.com
Accept-Encoding: identity
Content-Length: 442
Authorization: AUTHPARAMS
X-Amz-Date: 20200123T193018Z
User-Agent: aws-cli/1.14.29 Python/2.7.9 Windows/8 botocore/1.8.33

{
 "Accounts": [ 
 { 
  "AccountId": "444455556666",
  "EmailAddress": "mmajor@example.com"
 },
 { 
  "AccountId": "123456789012",
  "EmailAddress": "jstiles@example.com"
 }
 ],
 "GraphArn": "arn:aws:detective:us-east-1:111122223333:graph:027c7c4610ea4aacaf0b883093cab899",
 "Message": "This is Paul Santos. I need to add your account to the data we use for security investigation in Detective. If you have any questions, contact me at psantos@example.com."
}

Example

This example illustrates one usage of CreateMembers.

Sample Response

HTTP/1.1 200 OK
Content-Length: 625
Date: Thu, 23 Jan 2020 23:07:46 GMT
x-amzn-RequestId: 397d0549-0092-11e8-a0ee-a7f9aa6e7572
Connection: Keep-alive

{
 "Members": [ 
 { 
  "AccountId": "444455556666",
  "AdministratorId": "111122223333",
  "EmailAddress": "mmajor@example.com",
  "GraphArn": "arn:aws:detective:us-east-1:111122223333:graph:027c7c4610ea4aacaf0b883093cab899",
  "InvitedTime": "2020-01-24T12:35:0.1587Z",
  "MasterId": "111122223333",
  "Status": "INVITED",
  "UpdatedTime": "2020-01-24T12:35:0.1587Z"
 },
 { 
  "AccountId": "123456789012",
  "AdministratorId": "111122223333",
  "EmailAddress": "jstiles@example.com",
  "GraphArn": "arn:aws:detective:us-east-1:111122223333:graph:027c7c4610ea4aacaf0b883093cab899",
  "InvitedTime": "2020-01-24T12:35:0.1587Z",
  "MasterId": "111122223333",
  "Status": "VERIFICATION_IN_PROGRESS",
  "UpdatedTime": "2020-01-24T12:35:0.1587Z"
 }
 ],
 "UnprocessedAccounts": [ ]
}

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface

• AWS SDK for .NET

• AWS SDK for C++

• AWS SDK for Go

• AWS SDK for Java V2

• AWS SDK for JavaScript

• AWS SDK for PHP V3

• AWS SDK for Python

• AWS SDK for Ruby V3