# For member accounts: Managing behavior graph invitations and memberships
<a name="member-account-graph-management"></a>

Amazon Detective charges each member account for the ingested data for each behavior graph that it contributes to.

The **Account management** page allows member accounts to see the administrator accounts for the behavior graphs they are a member of.

Member accounts that are invited to a behavior graph can view and respond to their invitations. They can also remove their account from the behavior graph.

For the organization behavior graph, organization accounts do not control whether their account is a member account. The Detective administrator account chooses the organization accounts to enable or disable as member accounts.

**Topics**
+ [Required IAM policy for a member account](member-account-iam-policy.md)
+ [Viewing your list of behavior graph invitations](member-view-graph-invitations.md)
+ [Responding to a behavior graph invitation](member-invitation-response.md)
+ [Removing your account from a behavior graph](member-remove-self-from-graph.md)

# Required IAM policy for a member account
<a name="member-account-iam-policy"></a>

Before a member account can view and manage invitations, the required IAM policy must be attached to their principal. The principal can be an existing user or role, or you can create a new user or role to use for Detective.

Ideally, the administrator account has their IAM administrator attach the required policy.

The member account IAM policy grants access to member account actions in Amazon Detective. The email invitation to contribute to a behavior graph includes the text of that IAM policy.

To use this policy, replace `<behavior graph ARN>` with the graph ARN.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "detective:AcceptInvitation",
        "detective:DisassociateMembership",
        "detective:RejectInvitation"
      ],
      "Resource": "arn:aws:detective:us-east-1:123456789012:graph/*"
    },
   {
    "Effect":"Allow",
    "Action":[
        "detective:BatchGetMembershipDatasources",
        "detective:GetFreeTrialEligibility",
        "detective:GetPricingInformation",
        "detective:GetUsageInformation",
        "detective:ListInvitations"
    ],
    "Resource":"*"
   }
 ]
}
```

------

Note that organization accounts in the organization behavior graph do not receive invitations and cannot disassociate their account from the organization behavior graph. If they do not belong to other behavior graphs, then they only require the `ListInvitations` permission. `ListInvitations` allows them to see the administrator account for the behavior graph. The permissions to manage invitations and disassociate memberships only apply to memberships by invitation.

# Viewing your list of behavior graph invitations
<a name="member-view-graph-invitations"></a>

From the Amazon Detective console, Detective API, or AWS Command Line Interface, a member account can see their behavior graph invitations.

## Viewing behavior graph invitations (console)
<a name="member-view-invitations-console"></a>

You can view behavior graph invitations from the AWS Management Console.

**To view behavior graph invitations (console)**

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **Account management**.

On the **Account management** page, **My administrator accounts** contains your open and accepted behavior graph invitations in the current Region. For an organization account, **My administrator accounts** also contains the organization behavior graph.

If your account is currently in the free trial period, the page also displays the number of days remaining in your free trial.

The list does not contain invitations that you declined, memberships that you resigned, or memberships that the administrator account removed.

Each invitation shows the administrator account number, the date that the invitation was accepted, and the current status of the invitation.
+ For invitations that you have not responded to, the status is **Invited**.
+ For invitations that you accepted, the status is either **Enabled** or **Not enabled**.

  If the status is **Enabled**, then your account contributes data to the behavior graph.

  If the status is **Not enabled**, then your account does not contribute data to the behavior graph.

  Your account status is set initially to **Not enabled** while Detective checks whether you have GuardDuty enabled, and if so, whether your account would cause the data volume for the behavior graph to exceed the Detective quota.

  If your account would not cause the behavior graph to exceed the quota, Detective updates your account status to **Enabled**. Otherwise, the status remains **Not enabled**.

  When the behavior graph is able to accommodate the data volume for your account, Detective automatically updates it to **Enabled**. For example, the administrator account might remove other member accounts so that your account can be enabled. The administrator account can also enable your account manually.

## Viewing behavior graph invitations (Detective API, AWS CLI)
<a name="member-view-invitations-api"></a>

You can list behavior graph invitations from the Detective API or the AWS Command Line Interface.

**To retrieve a list of open and accepted invitations to behavior graphs (Detective API, AWS CLI)**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_ListInvitations.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_ListInvitations.html) operation.
+ **AWS CLI:** At the command line, run the [https://docs.aws.amazon.com/cli/latest/reference/detective/list-invitations.html](https://docs.aws.amazon.com/cli/latest/reference/detective/list-invitations.html) command.

  ```
  aws detective list-invitations
  ```

# Responding to a behavior graph invitation
<a name="member-invitation-response"></a>

After you accept an invitation, Detective checks the number of member accounts. The maximum number of member accounts for a behavior graph is 1,200. If your behavior graph already contains 1,200 member accounts, then new accounts cannot be enabled.

After you accept the invitation, Detective is enabled in your account. Detective checks whether your data volume is within the Detective quota. The volume of data flowing into a behavior graph must be less than the maximum allowed by Detective. If the current volume ingested is above the limit of 10 TB per day, you cannot add more accounts and Detective will disable further ingestion of data. The Detective console displays a notification to indicate that data volume is too large and the status remains **Not enabled**.

If you decline the invitation, then it is removed from your list of invitations, and Detective does not use your account data in the behavior graph.

## Responding to a behavior graph invitation (console)
<a name="member-invitation-response-console"></a>

You can use the AWS Management Console to respond to the email invitation, which includes a link to the Detective console. You can only respond to an invitation that has a status of **Invited**.

**To respond to a behavior graph invitation (console)**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **Account management**.

1. Under **My administrator accounts**, to accept the invitation and begin contributing data to the behavior graph, choose **Accept invitation**.

   To decline the invitation and remove it from the list, choose **Decline**.

## Responding to a behavior graph invitation (Detective API, AWS CLI)
<a name="member-invitation-response-api"></a>

You can respond to behavior graph invitations from the Detective API or the AWS Command Line Interface.

**To accept a behavior graph invitation (Detective API, AWS CLI)**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_AcceptInvitation.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_AcceptInvitation.html) operation. You must specify the graph ARN.
+ **AWS CLI:** At the command line, run the [https://docs.aws.amazon.com/cli/latest/reference/detective/accept-invitation.html](https://docs.aws.amazon.com/cli/latest/reference/detective/accept-invitation.html) command.

  ```
  aws detective accept-invitation --graph-arn <behavior graph ARN>
  ```

  Example:

  ```
  aws detective accept-invitation --graph-arn arn:aws:detective:us-east-1:111122223333:graph:123412341234
  ```

**To decline a behavior graph invitation (Detective API, AWS CLI)**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_RejectInvitation.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_RejectInvitation.html) operation. You must specify the graph ARN.
+ **AWS CLI:** At the command line, run the [https://docs.aws.amazon.com/cli/latest/reference/detective/reject-invitation.html](https://docs.aws.amazon.com/cli/latest/reference/detective/reject-invitation.html) command.

  ```
  aws detective reject-invitation --graph-arn <behavior graph ARN>
  ```

  Example:

  ```
  aws detective reject-invitation --graph-arn arn:aws:detective:us-east-1:111122223333:graph:123412341234
  ```

# Removing your account from a behavior graph
<a name="member-remove-self-from-graph"></a>

After you accept an invitation, you can remove your account from a behavior graph at any time. When you remove your account from a behavior graph, Amazon Detective stops ingesting data from your account into the behavior graph. Existing data remains in the behavior graph.

Only invited accounts can remove their account from a behavior graph. Organization accounts cannot remove their account from the organization behavior graph.

## Removing your account from a behavior graph (Console)
<a name="member-remove-self-console"></a>

You can use the AWS Management Console to remove your account from a behavior graph.

**To remove your account from a behavior graph (console)**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective navigation pane, choose **Account management**.

1. Under **My administrator accounts**, for the behavior graph you want to resign from, choose **Resign**.

## Removing your account from a behavior graph (Detective API, AWS CLI)
<a name="member-remove-self-api"></a>

You can use the Detective API or the AWS Command Line Interface to remove your account from a behavior graph.

**To remove your account from a behavior graph (Detective API, AWS CLI)**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_DisassociateMembership.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_DisassociateMembership.html) operation. You must specify the graph ARN.
+ **AWS CLI:** At the command line, run the [https://docs.aws.amazon.com/cli/latest/reference/detective/disassociate-membership.html](https://docs.aws.amazon.com/cli/latest/reference/detective/disassociate-membership.html) command.

  ```
  aws detective disassociate-membership --graph-arn <behavior graph ARN>
  ```

  Example:

  ```
  aws detective disassociate-membership --graph-arn arn:aws:detective:us-east-1:111122223333:graph:123412341234
  ```