Amazon Detective · Arazzo Workflow

Amazon Detective Onboard a Behavior Graph with Member Accounts

Version 1.0.0

Create a new behavior graph and invite member accounts, then confirm their membership status.

1 workflow 1 source API 1 provider
View Spec View on GitHub ForensicsInvestigationSecurityArazzoWorkflows

Provider

amazon-detective

Workflows

graph-onboard-members
Create a behavior graph, invite member accounts, and read back their membership details.
Creates a behavior graph, captures its ARN, invites the supplied member accounts into that graph, and then retrieves the membership records for the invited accounts. Branches on whether the create-members call returned any unprocessed accounts.
3 steps inputs: accountIds, accounts, message, tags outputs: graphArn, invitedMembers, memberDetails
1
createGraph
createGraph
Create a new behavior graph for the calling account and capture the returned graph ARN for use by the subsequent steps.
2
inviteMembers
createMembers
Invite the supplied AWS accounts to become member accounts in the newly created behavior graph.
3
confirmMembers
getMembers
Read back the membership details for the invited accounts to confirm they were registered in the behavior graph and inspect their current status.

Source API Descriptions

openapi
detectiveApi https://raw.githubusercontent.com/api-evangelist/amazon-detective/refs/heads/main/openapi/amazon-detective-openapi.yml

Arazzo Workflow Specification

amazon-detective-graph-onboard-members-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Amazon Detective Onboard a Behavior Graph with Member Accounts
  summary: Create a new behavior graph and invite member accounts, then confirm their membership status.
  description: >-
    Stands up a fresh Amazon Detective behavior graph for the calling account
    and immediately invites one or more AWS member accounts to contribute data
    to it. After the invitations are sent the workflow reads back the membership
    details so the caller can confirm the invited accounts were registered and
    inspect their current status. Every step spells out its request inline so
    the flow can be read and executed without opening the underlying OpenAPI
    description.
  version: 1.0.0
sourceDescriptions:
- name: detectiveApi
  url: ../openapi/amazon-detective-openapi.yml
  type: openapi
workflows:
- workflowId: graph-onboard-members
  summary: Create a behavior graph, invite member accounts, and read back their membership details.
  description: >-
    Creates a behavior graph, captures its ARN, invites the supplied member
    accounts into that graph, and then retrieves the membership records for the
    invited accounts. Branches on whether the create-members call returned any
    unprocessed accounts.
  inputs:
    type: object
    required:
    - accounts
    properties:
      message:
        type: string
        description: The invitation message shown to the invited member accounts.
      tags:
        type: object
        description: Optional tag name/value pairs to apply to the new behavior graph.
      accounts:
        type: array
        description: The AWS accounts to invite, each with an AccountId and EmailAddress.
        items:
          type: object
          properties:
            AccountId:
              type: string
            EmailAddress:
              type: string
      accountIds:
        type: array
        description: The list of invited account identifiers used to read back membership details.
        items:
          type: string
  steps:
  - stepId: createGraph
    description: >-
      Create a new behavior graph for the calling account and capture the
      returned graph ARN for use by the subsequent steps.
    operationId: createGraph
    requestBody:
      contentType: application/json
      payload:
        Tags: $inputs.tags
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      graphArn: $response.body#/GraphArn
  - stepId: inviteMembers
    description: >-
      Invite the supplied AWS accounts to become member accounts in the newly
      created behavior graph.
    operationId: createMembers
    requestBody:
      contentType: application/json
      payload:
        GraphArn: $steps.createGraph.outputs.graphArn
        Message: $inputs.message
        Accounts: $inputs.accounts
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      members: $response.body#/Members
      unprocessedAccounts: $response.body#/UnprocessedAccounts
    onSuccess:
    - name: allInvited
      type: goto
      stepId: confirmMembers
      criteria:
      - context: $response.body
        condition: $.UnprocessedAccounts.length == 0
        type: jsonpath
    - name: someUnprocessed
      type: goto
      stepId: confirmMembers
      criteria:
      - context: $response.body
        condition: $.UnprocessedAccounts.length > 0
        type: jsonpath
  - stepId: confirmMembers
    description: >-
      Read back the membership details for the invited accounts to confirm they
      were registered in the behavior graph and inspect their current status.
    operationId: getMembers
    requestBody:
      contentType: application/json
      payload:
        GraphArn: $steps.createGraph.outputs.graphArn
        AccountIds: $inputs.accountIds
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      memberDetails: $response.body#/MemberDetails
      unresolvedAccounts: $response.body#/UnprocessedAccounts
  outputs:
    graphArn: $steps.createGraph.outputs.graphArn
    invitedMembers: $steps.inviteMembers.outputs.members
    memberDetails: $steps.confirmMembers.outputs.memberDetails