[ aws . securityhub ]
Creates a member association in Security Hub between the specified accounts and the account used to make the request, which is the master account. If you are integrated with Organizations, then the master account is the Security Hub administrator account that is designated by the organization management account.
CreateMembers
is always used to add accounts that are not organization members.
For accounts that are part of an organization, CreateMembers
is only used in the following cases:
Security Hub is not configured to automatically add new accounts in an organization.
The account was disassociated or deleted in Security Hub.
This action can only be used by an account that has Security Hub enabled. To enable Security Hub, you can use the `` EnableSecurityHub `` operation.
For accounts that are not organization members, you create the account association and then send an invitation to the member account. To send the invitation, you use the `` InviteMembers `` operation. If the account owner accepts the invitation, the account becomes a member account in Security Hub.
Accounts that are part of an organization do not receive an invitation. They automatically become a member account in Security Hub.
A permissions policy is added that permits the master account to view the findings generated in the member account. When Security Hub is enabled in a member account, findings are sent to both the member and master accounts.
To remove the association between the master and member accounts, use the `` DisassociateFromMasterAccount `` or `` DisassociateMembers `` operation.
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
create-members
--account-details <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--account-details
(list)
The list of accounts to associate with the Security Hub master account. For each account, the list includes the account ID and optionally the email address.
(structure)
The details of an AWS account.
AccountId -> (string)
The ID of an AWS account.
Email -> (string)
The email of an AWS account.
Shorthand Syntax:
AccountId=string,Email=string ...
JSON Syntax:
[
{
"AccountId": "string",
"Email": "string"
}
...
]
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
To add accounts as member accounts
The following create-members
example adds two accounts as member accounts to the requesting master account.
aws securityhub create-members \
--account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]'
Output:
{
"UnprocessedAccounts": []
}
For more information, see Master and member accounts in the AWS Security Hub User Guide.
UnprocessedAccounts -> (list)
The list of AWS accounts that were not processed. For each account, the list includes the account ID and the email address.
(structure)
Details about the account that was not processed.
AccountId -> (string)
An AWS account ID of the account that was not processed.
ProcessingResult -> (string)
The reason that the account was not processed.