# Managing invited member accounts in Detective
<a name="accounts-invited-members"></a>

A Detective administrator account can invite accounts to be member accounts in their behavior graph. A behavior graph can contain up to 1,200 member accounts. When a member account accepts the invitation and is enabled, Amazon Detective begins to ingest and extract the member account's data into that behavior graph.

To invite individual accounts, you can manually specify the member accounts to invite to contribute their data to a behavior graph. If you want to add a list of member accounts, you can choose to provide a .csv file containing a list of member accounts to invite to your behavior graph.

For behavior graphs other than the organization behavior graph, all of the member accounts are invited accounts.The Detective administrator account can also invite accounts that are not organization accounts to the organization behavior graph.

At a high level, the process for inviting accounts to contribute to a behavior graph is as follows.

1. For each member account to add, the administrator account provides the AWS account identifier and the root user email address.

1. Detective validates that the email address is the root user email address for the account. If the account information is valid, Detective sends the invitation to the member account.

   Detective does not perform this validation or sends email invitations to member accounts in these Regions:
   + AWS GovCloud (US-East) Region
   + AWS GovCloud (US-West) Region

   For other Regions, you can `DisableEmailNotification` using the [CreateMembers](https://docs.aws.amazon.com//detective/latest/APIReference/API_CreateMembers.html) operation of the Detective API. If `DisableEmailNotification` is set to true, then Detective will not send invitations to the member accounts. This is a useful setting for accounts that are managed centrally.

1. The member account accepts or declines the invitation.

   Even if the administrator account does not send invitation emails, the member account still must respond to the invitation. 

1. After the member account accepts the invitation, Detective begins to ingest data from the member account into the behavior graph.

1. As soon as the member account is eligible to be enabled, Detective automatically changes the member account status to **Enabled**. 

   For example, the member account status changes to **Enabled** if the administrator account removes other member accounts to make space for an account.

   If more than one account is **Not enabled**, then Detective enables the accounts in the order in which they were invited. The process to check whether to enable any **Not enabled** accounts runs every hour.

   The administrator account also can enable accounts manually, instead of waiting for the automatic process. For example, the administrator account might want to select the accounts to enable. For information on how to enable a member account, see [Enabling a member account that is Not enabled](graph-admin-unblock-account.md).

   Note that Detective began to automatically enable accounts that are **Not enabled** on May 12, 2021. Accounts that were **Not enabled** before then are not enabled automatically. The administrator account must enable them manually.

The administrator account can remove invited member accounts from the behavior graph. Detective does not remove any existing data from the behavior graph, which aggregates data across member accounts.

**Topics**
+ [Inviting individual accounts to a behavior graph](accounts-invited-members-add-individual.md)
+ [Inviting a list of member accounts to a behavior graph](accounts-invited-members-add-csv.md)
+ [Enabling a member account that is Not enabled](graph-admin-unblock-account.md)
+ [Removing member accounts from a behavior graph](accounts-invited-remove.md)

# Inviting individual accounts to a behavior graph
<a name="accounts-invited-members-add-individual"></a>

You can manually specify the member accounts to invite to contribute their data to a behavior graph.

------
#### [ Console ]

**To manually select the member accounts to invite using the Detective console.**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **Account management**.

1. Choose **Actions**. Then choose **Invite accounts**.

1. Under **Add accounts**, choose **Add individual accounts**.

1. To add a member account to the invitation list, perform the following steps.

   1. Choose **Add account**.

   1. For **AWS Account ID**, enter the AWS account ID.

   1. For **Email address**, enter the root user email address for the account.

1. To remove an account from the list, choose **Remove** for that account.

1. Under **Personalize invitation email**, add customized content to include in the invitation email.

   For example, you can use this area to provide contact information. Or use it to remind the member account that they need to attach the required IAM policy to their user or role before they can accept the invitation.

1. **Member account IAM policy** contains the text of the required IAM policy for member accounts. The email invitation includes this policy text. To copy the policy text, choose **Copy**.

1. Choose **Invite**.

------
#### [ Detective API/AWS CLI ]

You can use the Detective API or the AWS Command Line Interface to invite member accounts to contribute their data to a behavior graph. To get the ARN of your behavior graph to use in the request, use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html) operation.

**To invite member accounts to a behavior graph (Detective API, AWS CLI)**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_CreateMembers.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_CreateMembers.html) operation. You must provide the graph ARN. For each account, specify the account identifier and the root user email address.

  To not send invitation emails to the member accounts, set `DisableEmailNotification` to true. By default, `DisableEmailNotification` is false .

  If you do send invitation emails, you can optionally provide custom text to add to the invitation email.
+ **AWS CLI:** At the command line, run the `create-members` command.

  ```
  aws detective create-members --accounts AccountId=<AWS account ID>,EmailAddress=<root user email address> --graph-arn <behavior graph ARN> --message "<Custom message text>"
  ```

  **Example**

  ```
  aws detective create-members --accounts AccountId=444455556666,EmailAddress=mmajor@example.com AccountId=123456789012,EmailAddress=jstiles@example.com --graph-arn arn:aws:detective:us-east-1:111122223333:graph:123412341234 --message "This is Paul Santos. I need to add your account to the data we use for security investigation in Amazon Detective. If you have any questions, contact me at psantos@example.com."
  ```

  To indicate to not send invitation emails to the member accounts, include `--disable-email-notification`.

  ```
  aws detective create-members --accounts AccountId=<AWS account ID>,EmailAddress=<root user email address> --graph-arn <behavior graph ARN> --disable-email-notification
  ```

  **Example**

  ```
  aws detective create-members --accounts AccountId=444455556666,EmailAddress=mmajor@example.com AccountId=123456789012,EmailAddress=jstiles@example.com --graph-arn arn:aws:detective:us-east-1:111122223333:graph:123412341234 --disable-email-notification
  ```

------

# Inviting a list of member accounts to a behavior graph
<a name="accounts-invited-members-add-csv"></a>

From the Detective console, you can provide a `.csv` file containing a list of member accounts to invite to your behavior graph.

The first line in the file is the header row. Each account is then listed on a separate line. Each member account entry contains the AWS account ID and the account's root user email address.

Example:

```
Account ID,Email address
111122223333,srodriguez@example.com
444455556666,rroe@example.com
```

When Detective processes the file, it ignores accounts that were already invited, unless the account status is **Verification failed**. That status indicates that the email address provided for the account did not match the account's root user email address. In that case, Detective deletes the original invitation and tries again to verify the email address and send the invitation.

This option also provides a template that you can use to create the list of accounts.

**To invite member accounts from a .csv list (console)**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **Account management**.

1. Choose **Actions**. Then choose **Invite accounts**.

1. Under **Add accounts**, choose **Add from .csv**.

1. To download a template file to work from, choose **Download .csv template**.

1. To select the file containing the list of accounts, choose **Choose .csv file**.

1. Under **Review member accounts**, verify the list of member accounts that Detective found in the file.

1. Under **Personalize invitation email**, add customized content to include in the invitation email.

   For example, you can provide contact information, or remind the member account about the required IAM policy.

1. **Member account IAM policy** contains the text of the required IAM policy for member accounts. The email invitation includes this policy text. To copy the policy text, choose **Copy**.

1. Choose **Invite**.

## Adding a list of member accounts across Regions
<a name="accounts-invited-add-script"></a>

Detective provides an open-source Python script in GitHub that allows you to do the following:
+ Add a specified list of member accounts to an administrator account's behavior graphs across a specified list of Regions.
+ If the administrator account does not have a behavior graph in a Region, then the script also enables Detective and creates the behavior graph in that Region.
+ Send invitation emails to the member accounts.
+ Automatically accept the invitations for the member accounts.

For information on how to configure and use the GitHub scripts, see [Using Detective Python scripts to manage accounts](detective-github-scripts.md).

# Enabling a member account that is Not enabled
<a name="graph-admin-unblock-account"></a>

After a member account accepts an invitation, Amazon Detective checks the number of member accounts. The maximum number of member accounts for a behavior graph is 1,200. If your behavior graph already contains 1,200 member accounts, then new accounts cannot be enabled. If Detective cannot enable the member account, then it sets the member account status to **Not enabled**. 

Member accounts that are **Not enabled** do not contribute data to the behavior graph.

Detective automatically enables accounts as the behavior graph can accommodate them.

You can also try to enable member accounts manually that are **Not enabled** member accounts. For example, you might remove existing member accounts to reduce the data volume. Instead of waiting for the automatic process to enable accounts, you can try to enable **Not enabled** member accounts.

------
#### [ Console ]

The member account list includes an option to enable selected member accounts that are **Not enabled.**

**To enable a member account that is Not enabled**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **Account management**.

1. Under **My member accounts**, select the check box for each member account to enable.

   You can only enable member accounts that have a status of **Not enabled**.

1. Choose **Enable accounts**.

Detective determines whether the member account can be enabled. If the member account can be enabled, the status changes to **Enabled**.

------
#### [ Detective API/CLI ]

You can use an API call or the AWS Command Line Interface to enable a single member account that is **Not enabled**. To get the ARN of your behavior graph to use in the request, use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html) operation.

**To enable a member account that is Not enabled**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_StartMonitoringMember.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_StartMonitoringMember.html) API operation. You must provide the behavior graph ARN. To identify the member account, use the AWS account identifier.
+ **AWS CLI:** Run the [https://docs.aws.amazon.com/cli/latest/reference/detective/start-monitoring-member.html](https://docs.aws.amazon.com/cli/latest/reference/detective/start-monitoring-member.html) command.

  ```
  start-monitoring-member --graph-arn <behavior graph ARN> --account-id <AWS account ID>
  ```

  For example:

  ```
  start-monitoring-member --graph-arn arn:aws:detective:us-east-1:111122223333:graph:123412341234 --account-id 444455556666
  ```

------

# Removing member accounts from a behavior graph
<a name="accounts-invited-remove"></a>

The administrator account can remove invited member accounts from a behavior graph at any time.

Detective automatically removes member accounts that are terminated in AWS, except in the AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions.

When an invited member account is removed from a behavior graph, the following occurs.
+ The member account is removed from **My member accounts**.
+ Amazon Detective stops ingesting data from the removed account.

Detective does not remove any existing data from the behavior graph, which aggregates data across member accounts.

------
#### [ Console ]

You can use the AWS Management Console to remove invited member accounts from your behavior graph.

**To remove member accounts (console)**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **Account management**.

1. In the account list, select the check box for each member account to remove.

   You cannot remove your own account from the list.

1. Choose **Actions**. Then choose **Disable accounts**.

------
#### [ Detective API/CLI  ]

You can use the Detective API or the AWS Command Line Interface to remove invited member accounts from your behavior graph. To get the ARN of your behavior graph to use in the request, use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_ListGraphs.html) operation.

**To remove invited member accounts from your behavior graph (Detective API, AWS CLI)**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteMembers.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteMembers.html) operation. Specify the graph ARN and the list of account identifiers for the member accounts to remove.
+ **AWS CLI:** At the command line, run the [https://docs.aws.amazon.com/cli/latest/reference/detective/delete-members.html](https://docs.aws.amazon.com/cli/latest/reference/detective/delete-members.html) command.

  ```
  aws detective delete-members --account-ids <account ID list> --graph-arn <behavior graph ARN>
  ```

  Example:

  ```
  aws detective delete-members --account-ids 444455556666 123456789012 --graph-arn arn:aws:detective:us-east-1:111122223333:graph:123412341234
  ```

------
#### [ Python script ]

Detective provides an open-source script in GitHub. You can use this script to remove a specified list of member accounts from an administrator account's behavior graphs across a specified list of Regions.

For information on how to configure and use the GitHub scripts, see [Using Detective Python scripts to manage accounts](detective-github-scripts.md).

------