AWS Security Hub
API Reference (API Version 2018-10-26)


Creates a member association in Security Hub between the specified accounts and the account used to make the request, which is the master account. To successfully create a member, you must use this action from an account that already has Security Hub enabled. You can use the EnableSecurityHub to enable Security Hub.

After you use CreateMembers to create member account associations in Security Hub, you need to use the InviteMembers action, which invites the accounts to enable Security Hub and become member accounts in Security Hub. If the invitation is accepted by the account owner, the account becomes a member account in Security Hub, and a permission policy is added that permits the master account to view the findings generated in the member account. When Security Hub is enabled in the invited account, findings start being sent to both the member and master accounts.

You can remove the association between the master and member accounts by using the DisassociateFromMasterAccount or DisassociateMembers operation.

Request Syntax

POST /members HTTP/1.1 Content-type: application/json { "AccountDetails": [ { "AccountId": "string", "Email": "string" } ] }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.


A list of account ID and email address pairs of the accounts to associate with the Security Hub master account.

Type: Array of AccountDetails objects

Required: No

Response Syntax

HTTP/1.1 200 Content-type: application/json { "UnprocessedAccounts": [ { "AccountId": "string", "ProcessingResult": "string" } ] }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


A list of account ID and email address pairs of the AWS accounts that weren't processed.

Type: Array of Result objects


For information about the errors that are common to all actions, see Common Errors.


Internal server error.

HTTP Status Code: 500


AWS Security Hub isn't enabled for the account used to make this request.

HTTP Status Code: 401


The request was rejected because you supplied an invalid or out-of-range value for an input parameter.

HTTP Status Code: 400


The request was rejected because it attempted to create resources beyond the current AWS account limits. The error code describes the limit exceeded.

HTTP Status Code: 429


The resource specified in the request conflicts with an existing resource.

HTTP Status Code: 409

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: