2025/08/13 - Security Incident Response - 8 updated api methods
Changes Added support for Organizational Unit-level Membership configuration and the ability to resume a cancelled membership.
{'items': {'relationshipStatus': {'Unassociated'},
'relationshipType': {'Unrelated'}}}
Provides information on whether the supplied account IDs are associated with a membership.
See also: AWS API Documentation
Request Syntax
client.batch_get_member_account_details(
membershipId='string',
accountIds=[
'string',
]
)
string
[REQUIRED]
Required element used in combination with BatchGetMemberAccountDetails to identify the membership ID to query.
list
[REQUIRED]
Optional element to query the membership relationship status to a provided list of account IDs.
(string) --
dict
Response Syntax
{
'items': [
{
'accountId': 'string',
'relationshipStatus': 'Associated'|'Disassociated'|'Unassociated',
'relationshipType': 'Organization'|'Unrelated'
},
],
'errors': [
{
'accountId': 'string',
'error': 'string',
'message': 'string'
},
]
}
Response Structure
(dict) --
items (list) --
The response element providing responses for requests to GetMembershipAccountDetails.
(dict) --
accountId (string) --
relationshipStatus (string) --
relationshipType (string) --
errors (list) --
The response element providing error messages for requests to GetMembershipAccountDetails.
(dict) --
accountId (string) --
error (string) --
message (string) --
{'impactedAwsRegions': {'region': {'ap-east-2'}}}
Creates a new case.
See also: AWS API Documentation
Request Syntax
client.create_case(
clientToken='string',
resolverType='AWS'|'Self',
title='string',
description='string',
engagementType='Security Incident'|'Investigation',
reportedIncidentStartDate=datetime(2015, 1, 1),
impactedAccounts=[
'string',
],
watchers=[
{
'email': 'string',
'name': 'string',
'jobTitle': 'string'
},
],
threatActorIpAddresses=[
{
'ipAddress': 'string',
'userAgent': 'string'
},
],
impactedServices=[
'string',
],
impactedAwsRegions=[
{
'region': 'af-south-1'|'ap-east-1'|'ap-east-2'|'ap-northeast-1'|'ap-northeast-2'|'ap-northeast-3'|'ap-south-1'|'ap-south-2'|'ap-southeast-1'|'ap-southeast-2'|'ap-southeast-3'|'ap-southeast-4'|'ap-southeast-5'|'ap-southeast-7'|'ca-central-1'|'ca-west-1'|'cn-north-1'|'cn-northwest-1'|'eu-central-1'|'eu-central-2'|'eu-north-1'|'eu-south-1'|'eu-south-2'|'eu-west-1'|'eu-west-2'|'eu-west-3'|'il-central-1'|'me-central-1'|'me-south-1'|'mx-central-1'|'sa-east-1'|'us-east-1'|'us-east-2'|'us-west-1'|'us-west-2'
},
],
tags={
'string': 'string'
}
)
string
This field is autopopulated if not provided.
string
[REQUIRED]
Required element used in combination with CreateCase to identify the resolver type.
string
[REQUIRED]
Required element used in combination with CreateCase to provide a title for the new case.
string
[REQUIRED]
Required element used in combination with CreateCase
to provide a description for the new case.
string
[REQUIRED]
Required element used in combination with CreateCase to provide an engagement type for the new cases. Available engagement types include Security Incident | Investigation
datetime
[REQUIRED]
Required element used in combination with CreateCase to provide an initial start date for the unauthorized activity.
list
[REQUIRED]
Required element used in combination with CreateCase to provide a list of impacted accounts.
(string) --
list
[REQUIRED]
Required element used in combination with CreateCase to provide a list of entities to receive notifications for case updates.
(dict) --
email (string) -- [REQUIRED]
name (string) --
jobTitle (string) --
list
An optional element used in combination with CreateCase to provide a list of suspicious internet protocol addresses associated with unauthorized activity.
(dict) --
ipAddress (string) -- [REQUIRED]
userAgent (string) --
list
An optional element used in combination with CreateCase to provide a list of services impacted.
(string) --
list
An optional element used in combination with CreateCase to provide a list of impacted regions.
(dict) --
region (string) -- [REQUIRED]
dict
An optional element used in combination with CreateCase to add customer specified tags to a case.
(string) --
(string) --
dict
Response Syntax
{
'caseId': 'string'
}
Response Structure
(dict) --
caseId (string) --
A response element providing responses for requests to CreateCase. This element responds with the case ID.
{'coverEntireOrganization': 'boolean'}
Creates a new membership.
See also: AWS API Documentation
Request Syntax
client.create_membership(
clientToken='string',
membershipName='string',
incidentResponseTeam=[
{
'name': 'string',
'jobTitle': 'string',
'email': 'string'
},
],
optInFeatures=[
{
'featureName': 'Triage',
'isEnabled': True|False
},
],
tags={
'string': 'string'
},
coverEntireOrganization=True|False
)
string
This field is autopopulated if not provided.
string
[REQUIRED]
Required element used in combination with CreateMembership to create a name for the membership.
list
[REQUIRED]
Required element used in combination with CreateMembership to add customer incident response team members and trusted partners to the membership.
(dict) --
name (string) -- [REQUIRED]
jobTitle (string) -- [REQUIRED]
email (string) -- [REQUIRED]
list
Optional element to enable the monitoring and investigation opt-in features for the service.
(dict) --
featureName (string) -- [REQUIRED]
isEnabled (boolean) -- [REQUIRED]
dict
Optional element for customer configured tags.
(string) --
(string) --
boolean
The coverEntireOrganization parameter is a boolean flag that determines whether the membership should be applied to the entire Amazon Web Services Organization. When set to true, the membership will be created for all accounts within the organization. When set to false, the membership will only be created for specified accounts.
This parameter is optional. If not specified, the default value is false.
If set to true: The membership will automatically include all existing and future accounts in the Amazon Web Services Organization.
If set to false: The membership will only apply to explicitly specified accounts.
dict
Response Syntax
{
'membershipId': 'string'
}
Response Structure
(dict) --
membershipId (string) --
Response element for CreateMembership providing the newly created membership ID.
{'impactedAwsRegions': {'region': {'ap-east-2'}}}
Returns the attributes of a case.
See also: AWS API Documentation
Request Syntax
client.get_case(
caseId='string'
)
string
[REQUIRED]
Required element for GetCase to identify the requested case ID.
dict
Response Syntax
{
'title': 'string',
'caseArn': 'string',
'description': 'string',
'caseStatus': 'Submitted'|'Acknowledged'|'Detection and Analysis'|'Containment, Eradication and Recovery'|'Post-incident Activities'|'Ready to Close'|'Closed',
'engagementType': 'Security Incident'|'Investigation',
'reportedIncidentStartDate': datetime(2015, 1, 1),
'actualIncidentStartDate': datetime(2015, 1, 1),
'impactedAwsRegions': [
{
'region': 'af-south-1'|'ap-east-1'|'ap-east-2'|'ap-northeast-1'|'ap-northeast-2'|'ap-northeast-3'|'ap-south-1'|'ap-south-2'|'ap-southeast-1'|'ap-southeast-2'|'ap-southeast-3'|'ap-southeast-4'|'ap-southeast-5'|'ap-southeast-7'|'ca-central-1'|'ca-west-1'|'cn-north-1'|'cn-northwest-1'|'eu-central-1'|'eu-central-2'|'eu-north-1'|'eu-south-1'|'eu-south-2'|'eu-west-1'|'eu-west-2'|'eu-west-3'|'il-central-1'|'me-central-1'|'me-south-1'|'mx-central-1'|'sa-east-1'|'us-east-1'|'us-east-2'|'us-west-1'|'us-west-2'
},
],
'threatActorIpAddresses': [
{
'ipAddress': 'string',
'userAgent': 'string'
},
],
'pendingAction': 'Customer'|'None',
'impactedAccounts': [
'string',
],
'watchers': [
{
'email': 'string',
'name': 'string',
'jobTitle': 'string'
},
],
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'closureCode': 'Investigation Completed'|'Not Resolved'|'False Positive'|'Duplicate',
'resolverType': 'AWS'|'Self',
'impactedServices': [
'string',
],
'caseAttachments': [
{
'attachmentId': 'string',
'fileName': 'string',
'attachmentStatus': 'Verified'|'Failed'|'Pending',
'creator': 'string',
'createdDate': datetime(2015, 1, 1)
},
],
'closedDate': datetime(2015, 1, 1)
}
Response Structure
(dict) --
title (string) --
Response element for GetCase that provides the case title.
caseArn (string) --
Response element for GetCase that provides the case ARN
description (string) --
Response element for GetCase that provides contents of the case description.
caseStatus (string) --
Response element for GetCase that provides the case status. Options for statuses include Submitted | Detection and Analysis | Eradication, Containment and Recovery | Post-Incident Activities | Closed
engagementType (string) --
Response element for GetCase that provides the engagement type. Options for engagement type include Active Security Event | Investigations
reportedIncidentStartDate (datetime) --
Response element for GetCase that provides the customer provided incident start date.
actualIncidentStartDate (datetime) --
Response element for GetCase that provides the actual incident start date as identified by data analysis during the investigation.
impactedAwsRegions (list) --
Response element for GetCase that provides the impacted regions.
(dict) --
region (string) --
threatActorIpAddresses (list) --
Response element for GetCase that provides a list of suspicious IP addresses associated with unauthorized activity.
(dict) --
ipAddress (string) --
userAgent (string) --
pendingAction (string) --
Response element for GetCase that identifies the case is waiting on customer input.
impactedAccounts (list) --
Response element for GetCase that provides a list of impacted accounts.
(string) --
watchers (list) --
Response element for GetCase that provides a list of Watchers added to the case.
(dict) --
email (string) --
name (string) --
jobTitle (string) --
createdDate (datetime) --
Response element for GetCase that provides the date the case was created.
lastUpdatedDate (datetime) --
Response element for GetCase that provides the date a case was last modified.
closureCode (string) --
Response element for GetCase that provides the summary code for why a case was closed.
resolverType (string) --
Response element for GetCase that provides the current resolver types.
impactedServices (list) --
Response element for GetCase that provides a list of impacted services.
(string) --
caseAttachments (list) --
Response element for GetCase that provides a list of current case attachments.
(dict) --
attachmentId (string) --
fileName (string) --
attachmentStatus (string) --
creator (string) --
createdDate (datetime) --
closedDate (datetime) --
Response element for GetCase that provides the date a specified case was closed.
{'membershipAccountsConfigurations': {'coverEntireOrganization': 'boolean',
'organizationalUnits': ['string']},
'region': {'ap-east-2'}}
Returns the attributes of a membership.
See also: AWS API Documentation
Request Syntax
client.get_membership(
membershipId='string'
)
string
[REQUIRED]
Required element for GetMembership to identify the membership ID to query.
dict
Response Syntax
{
'membershipId': 'string',
'accountId': 'string',
'region': 'af-south-1'|'ap-east-1'|'ap-east-2'|'ap-northeast-1'|'ap-northeast-2'|'ap-northeast-3'|'ap-south-1'|'ap-south-2'|'ap-southeast-1'|'ap-southeast-2'|'ap-southeast-3'|'ap-southeast-4'|'ap-southeast-5'|'ap-southeast-7'|'ca-central-1'|'ca-west-1'|'cn-north-1'|'cn-northwest-1'|'eu-central-1'|'eu-central-2'|'eu-north-1'|'eu-south-1'|'eu-south-2'|'eu-west-1'|'eu-west-2'|'eu-west-3'|'il-central-1'|'me-central-1'|'me-south-1'|'mx-central-1'|'sa-east-1'|'us-east-1'|'us-east-2'|'us-west-1'|'us-west-2',
'membershipName': 'string',
'membershipArn': 'string',
'membershipStatus': 'Active'|'Cancelled'|'Terminated',
'membershipActivationTimestamp': datetime(2015, 1, 1),
'membershipDeactivationTimestamp': datetime(2015, 1, 1),
'customerType': 'Standalone'|'Organization',
'numberOfAccountsCovered': 123,
'incidentResponseTeam': [
{
'name': 'string',
'jobTitle': 'string',
'email': 'string'
},
],
'optInFeatures': [
{
'featureName': 'Triage',
'isEnabled': True|False
},
],
'membershipAccountsConfigurations': {
'coverEntireOrganization': True|False,
'organizationalUnits': [
'string',
]
}
}
Response Structure
(dict) --
membershipId (string) --
Response element for GetMembership that provides the queried membership ID.
accountId (string) --
Response element for GetMembership that provides the account configured to manage the membership.
region (string) --
Response element for GetMembership that provides the region configured to manage the membership.
membershipName (string) --
Response element for GetMembership that provides the configured membership name.
membershipArn (string) --
Response element for GetMembership that provides the membership ARN.
membershipStatus (string) --
Response element for GetMembership that provides the current membership status.
membershipActivationTimestamp (datetime) --
Response element for GetMembership that provides the configured membership activation timestamp.
membershipDeactivationTimestamp (datetime) --
Response element for GetMembership that provides the configured membership name deactivation timestamp.
customerType (string) --
Response element for GetMembership that provides the configured membership type. Options include Standalone | Organizations.
numberOfAccountsCovered (integer) --
Response element for GetMembership that provides the number of accounts in the membership.
incidentResponseTeam (list) --
Response element for GetMembership that provides the configured membership incident response team members.
(dict) --
name (string) --
jobTitle (string) --
email (string) --
optInFeatures (list) --
Response element for GetMembership that provides the if opt-in features have been enabled.
(dict) --
featureName (string) --
isEnabled (boolean) --
membershipAccountsConfigurations (dict) --
The membershipAccountsConfigurations field contains the configuration details for member accounts within the Amazon Web Services Organizations membership structure.
This field returns a structure containing information about:
Account configurations for member accounts
Membership settings and preferences
Account-level permissions and roles
coverEntireOrganization (boolean) --
The coverEntireOrganization field is a boolean value that determines whether the membership configuration applies to all accounts within an Amazon Web Services Organization.
When set to true, the configuration will be applied across all accounts in the organization. When set to false, the configuration will only apply to specifically designated accounts under the AWS Organizational Units specificied.
organizationalUnits (list) --
A list of organizational unit IDs that follow the pattern ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}. These IDs represent the organizational units within an Amazon Web Services Organizations structure that are covered by the membership.
Each organizational unit ID in the list must:
Begin with the prefix 'ou-'
Contain between 4 and 32 alphanumeric characters in the first segment
Contain between 8 and 32 alphanumeric characters in the second segment
(string) --
{'items': {'region': {'ap-east-2'}}}
Returns the memberships that the calling principal can access.
See also: AWS API Documentation
Request Syntax
client.list_memberships(
nextToken='string',
maxResults=123
)
string
An optional string that, if supplied, must be copied from the output of a previous call to ListMemberships. When provided in this manner, the API fetches the next page of results.
integer
Request element for ListMemberships to limit the number of responses.
dict
Response Syntax
{
'nextToken': 'string',
'items': [
{
'membershipId': 'string',
'accountId': 'string',
'region': 'af-south-1'|'ap-east-1'|'ap-east-2'|'ap-northeast-1'|'ap-northeast-2'|'ap-northeast-3'|'ap-south-1'|'ap-south-2'|'ap-southeast-1'|'ap-southeast-2'|'ap-southeast-3'|'ap-southeast-4'|'ap-southeast-5'|'ap-southeast-7'|'ca-central-1'|'ca-west-1'|'cn-north-1'|'cn-northwest-1'|'eu-central-1'|'eu-central-2'|'eu-north-1'|'eu-south-1'|'eu-south-2'|'eu-west-1'|'eu-west-2'|'eu-west-3'|'il-central-1'|'me-central-1'|'me-south-1'|'mx-central-1'|'sa-east-1'|'us-east-1'|'us-east-2'|'us-west-1'|'us-west-2',
'membershipArn': 'string',
'membershipStatus': 'Active'|'Cancelled'|'Terminated'
},
]
}
Response Structure
(dict) --
nextToken (string) --
An optional string that, if supplied on subsequent calls to ListMemberships, allows the API to fetch the next page of results.
items (list) --
Request element for ListMemberships including the accountID, membershipARN, membershipID, membershipStatus, and region for each response.
(dict) --
membershipId (string) --
accountId (string) --
region (string) --
membershipArn (string) --
membershipStatus (string) --
{'impactedAwsRegionsToAdd': {'region': {'ap-east-2'}},
'impactedAwsRegionsToDelete': {'region': {'ap-east-2'}}}
Updates an existing case.
See also: AWS API Documentation
Request Syntax
client.update_case(
caseId='string',
title='string',
description='string',
reportedIncidentStartDate=datetime(2015, 1, 1),
actualIncidentStartDate=datetime(2015, 1, 1),
engagementType='Security Incident'|'Investigation',
watchersToAdd=[
{
'email': 'string',
'name': 'string',
'jobTitle': 'string'
},
],
watchersToDelete=[
{
'email': 'string',
'name': 'string',
'jobTitle': 'string'
},
],
threatActorIpAddressesToAdd=[
{
'ipAddress': 'string',
'userAgent': 'string'
},
],
threatActorIpAddressesToDelete=[
{
'ipAddress': 'string',
'userAgent': 'string'
},
],
impactedServicesToAdd=[
'string',
],
impactedServicesToDelete=[
'string',
],
impactedAwsRegionsToAdd=[
{
'region': 'af-south-1'|'ap-east-1'|'ap-east-2'|'ap-northeast-1'|'ap-northeast-2'|'ap-northeast-3'|'ap-south-1'|'ap-south-2'|'ap-southeast-1'|'ap-southeast-2'|'ap-southeast-3'|'ap-southeast-4'|'ap-southeast-5'|'ap-southeast-7'|'ca-central-1'|'ca-west-1'|'cn-north-1'|'cn-northwest-1'|'eu-central-1'|'eu-central-2'|'eu-north-1'|'eu-south-1'|'eu-south-2'|'eu-west-1'|'eu-west-2'|'eu-west-3'|'il-central-1'|'me-central-1'|'me-south-1'|'mx-central-1'|'sa-east-1'|'us-east-1'|'us-east-2'|'us-west-1'|'us-west-2'
},
],
impactedAwsRegionsToDelete=[
{
'region': 'af-south-1'|'ap-east-1'|'ap-east-2'|'ap-northeast-1'|'ap-northeast-2'|'ap-northeast-3'|'ap-south-1'|'ap-south-2'|'ap-southeast-1'|'ap-southeast-2'|'ap-southeast-3'|'ap-southeast-4'|'ap-southeast-5'|'ap-southeast-7'|'ca-central-1'|'ca-west-1'|'cn-north-1'|'cn-northwest-1'|'eu-central-1'|'eu-central-2'|'eu-north-1'|'eu-south-1'|'eu-south-2'|'eu-west-1'|'eu-west-2'|'eu-west-3'|'il-central-1'|'me-central-1'|'me-south-1'|'mx-central-1'|'sa-east-1'|'us-east-1'|'us-east-2'|'us-west-1'|'us-west-2'
},
],
impactedAccountsToAdd=[
'string',
],
impactedAccountsToDelete=[
'string',
]
)
string
[REQUIRED]
Required element for UpdateCase to identify the case ID for updates.
string
Optional element for UpdateCase to provide content for the title field.
string
Optional element for UpdateCase to provide content for the description field.
datetime
Optional element for UpdateCase to provide content for the customer reported incident start date field.
datetime
Optional element for UpdateCase to provide content for the incident start date field.
string
Optional element for UpdateCase to provide content for the engagement type field. Available engagement types include Security Incident | Investigation.
list
Optional element for UpdateCase to provide content to add additional watchers to a case.
(dict) --
email (string) -- [REQUIRED]
name (string) --
jobTitle (string) --
list
Optional element for UpdateCase to provide content to remove existing watchers from a case.
(dict) --
email (string) -- [REQUIRED]
name (string) --
jobTitle (string) --
list
Optional element for UpdateCase to provide content to add additional suspicious IP addresses related to a case.
(dict) --
ipAddress (string) -- [REQUIRED]
userAgent (string) --
list
Optional element for UpdateCase to provide content to remove suspicious IP addresses from a case.
(dict) --
ipAddress (string) -- [REQUIRED]
userAgent (string) --
list
Optional element for UpdateCase to provide content to add services impacted.
(string) --
list
Optional element for UpdateCase to provide content to remove services impacted.
(string) --
list
Optional element for UpdateCase to provide content to add regions impacted.
(dict) --
region (string) -- [REQUIRED]
list
Optional element for UpdateCase to provide content to remove regions impacted.
(dict) --
region (string) -- [REQUIRED]
list
Optional element for UpdateCase to provide content to add accounts impacted.
(string) --
list
Optional element for UpdateCase to provide content to add accounts impacted.
(string) --
dict
Response Syntax
{}
Response Structure
(dict) --
{'membershipAccountsConfigurationsUpdate': {'coverEntireOrganization': 'boolean',
'organizationalUnitsToAdd': ['string'],
'organizationalUnitsToRemove': ['string']},
'undoMembershipCancellation': 'boolean'}
Updates membership configuration.
See also: AWS API Documentation
Request Syntax
client.update_membership(
membershipId='string',
membershipName='string',
incidentResponseTeam=[
{
'name': 'string',
'jobTitle': 'string',
'email': 'string'
},
],
optInFeatures=[
{
'featureName': 'Triage',
'isEnabled': True|False
},
],
membershipAccountsConfigurationsUpdate={
'coverEntireOrganization': True|False,
'organizationalUnitsToAdd': [
'string',
],
'organizationalUnitsToRemove': [
'string',
]
},
undoMembershipCancellation=True|False
)
string
[REQUIRED]
Required element for UpdateMembership to identify the membership to update.
string
Optional element for UpdateMembership to update the membership name.
list
Optional element for UpdateMembership to update the membership name.
(dict) --
name (string) -- [REQUIRED]
jobTitle (string) -- [REQUIRED]
email (string) -- [REQUIRED]
list
Optional element for UpdateMembership to enable or disable opt-in features for the service.
(dict) --
featureName (string) -- [REQUIRED]
isEnabled (boolean) -- [REQUIRED]
dict
The membershipAccountsConfigurationsUpdate field in the UpdateMembershipRequest structure allows you to update the configuration settings for accounts within a membership.
This field is optional and contains a structure of type MembershipAccountsConfigurationsUpdate that specifies the updated account configurations for the membership.
coverEntireOrganization (boolean) --
The coverEntireOrganization field is a boolean value that determines whether the membership configuration should be applied across the entire Amazon Web Services Organization.
When set to true, the configuration will be applied to all accounts within the organization. When set to false, the configuration will only apply to specifically designated accounts.
organizationalUnitsToAdd (list) --
A list of organizational unit IDs to add to the membership configuration. Each organizational unit ID must match the pattern ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}.
The list must contain between 1 and 5 organizational unit IDs.
(string) --
organizationalUnitsToRemove (list) --
A list of organizational unit IDs to remove from the membership configuration. Each organizational unit ID must match the pattern ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}.
The list must contain between 1 and 5 organizational unit IDs per invocation of the API request.
(string) --
boolean
The undoMembershipCancellation parameter is a boolean flag that indicates whether to reverse a previously requested membership cancellation. When set to true, this will revoke the cancellation request and maintain the membership status.
This parameter is optional and can be used in scenarios where you need to restore a membership that was marked for cancellation but hasn't been fully terminated yet.
If set to true, the cancellation request will be revoked
If set to false the service will throw a ValidationException.
dict
Response Syntax
{}
Response Structure
(dict) --