com.amazonaws.services.detective.AmazonDetective Maven / Gradle / Ivy
/*
* Copyright 2015-2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
* the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package com.amazonaws.services.detective;
import javax.annotation.Generated;
import com.amazonaws.*;
import com.amazonaws.regions.*;
import com.amazonaws.services.detective.model.*;
/**
* Interface for accessing Amazon Detective.
*
* Note: Do not directly implement this interface, new methods are added to it regularly. Extend from
* {@link com.amazonaws.services.detective.AbstractAmazonDetective} instead.
*
*
*
* Detective uses machine learning and purpose-built visualizations to help you analyze and investigate security issues
* across your Amazon Web Services (AWS) workloads. Detective automatically extracts time-based events such as login
* attempts, API calls, and network traffic from AWS CloudTrail and Amazon Virtual Private Cloud (Amazon VPC) flow logs.
* It also extracts findings detected by Amazon GuardDuty.
*
*
* The Detective API primarily supports the creation and management of behavior graphs. A behavior graph contains the
* extracted data from a set of member accounts, and is created and managed by a master account.
*
*
* Every behavior graph is specific to a Region. You can only use the API to manage graphs that belong to the Region
* that is associated with the currently selected endpoint.
*
*
* A Detective master account can use the Detective API to do the following:
*
*
* -
*
* Enable and disable Detective. Enabling Detective creates a new behavior graph.
*
*
* -
*
* View the list of member accounts in a behavior graph.
*
*
* -
*
* Add member accounts to a behavior graph.
*
*
* -
*
* Remove member accounts from a behavior graph.
*
*
*
*
* A member account can use the Detective API to do the following:
*
*
* -
*
* View the list of behavior graphs that they are invited to.
*
*
* -
*
* Accept an invitation to contribute to a behavior graph.
*
*
* -
*
* Decline an invitation to contribute to a behavior graph.
*
*
* -
*
* Remove their account from a behavior graph.
*
*
*
*
* All API actions are logged as CloudTrail events. See Logging Detective API
* Calls with CloudTrail.
*
*/
@Generated("com.amazonaws:aws-java-sdk-code-generator")
public interface AmazonDetective {
/**
* The region metadata service name for computing region endpoints. You can use this value to retrieve metadata
* (such as supported regions) of the service.
*
* @see RegionUtils#getRegionsForService(String)
*/
String ENDPOINT_PREFIX = "api.detective";
/**
*
* Accepts an invitation for the member account to contribute data to a behavior graph. This operation can only be
* called by an invited member account.
*
*
* The request provides the ARN of behavior graph.
*
*
* The member account status in the graph must be INVITED.
*
*
* @param acceptInvitationRequest
* @return Result of the AcceptInvitation operation returned by the service.
* @throws ConflictException
* The request attempted an invalid action.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ResourceNotFoundException
* The request refers to a nonexistent resource.
* @throws ValidationException
* The request parameters are invalid.
* @sample AmazonDetective.AcceptInvitation
* @see AWS API
* Documentation
*/
AcceptInvitationResult acceptInvitation(AcceptInvitationRequest acceptInvitationRequest);
/**
*
* Creates a new behavior graph for the calling account, and sets that account as the master account. This operation
* is called by the account that is enabling Detective.
*
*
* Before you try to enable Detective, make sure that your account has been enrolled in Amazon GuardDuty for at
* least 48 hours. If you do not meet this requirement, you cannot enable Detective. If you do meet the GuardDuty
* prerequisite, then when you make the request to enable Detective, it checks whether your data volume is within
* the Detective quota. If it exceeds the quota, then you cannot enable Detective.
*
*
* The operation also enables Detective for the calling account in the currently selected Region. It returns the ARN
* of the new behavior graph.
*
*
* CreateGraph triggers a process to create the corresponding data tables for the new behavior graph.
*
*
* An account can only be the master account for one behavior graph within a Region. If the same account calls
* CreateGraph with the same master account, it always returns the same behavior graph ARN. It does not
* create a new behavior graph.
*
*
* @param createGraphRequest
* @return Result of the CreateGraph operation returned by the service.
* @throws ConflictException
* The request attempted an invalid action.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ServiceQuotaExceededException
* This request cannot be completed for one of the following reasons.
*
* -
*
* The request would cause the number of member accounts in the behavior graph to exceed the maximum
* allowed. A behavior graph cannot have more than 1000 member accounts.
*
*
* -
*
* The request would cause the data rate for the behavior graph to exceed the maximum allowed.
*
*
* -
*
* Detective is unable to verify the data rate for the member account. This is usually because the member
* account is not enrolled in Amazon GuardDuty.
*
*
* @sample AmazonDetective.CreateGraph
* @see AWS API
* Documentation
*/
CreateGraphResult createGraph(CreateGraphRequest createGraphRequest);
/**
*
* Sends a request to invite the specified AWS accounts to be member accounts in the behavior graph. This operation
* can only be called by the master account for a behavior graph.
*
*
* CreateMembers verifies the accounts and then sends invitations to the verified accounts.
*
*
* The request provides the behavior graph ARN and the list of accounts to invite.
*
*
* The response separates the requested accounts into two lists:
*
*
* -
*
* The accounts that CreateMembers was able to start the verification for. This list includes member
* accounts that are being verified, that have passed verification and are being sent an invitation, and that have
* failed verification.
*
*
* -
*
* The accounts that CreateMembers was unable to process. This list includes accounts that were already
* invited to be member accounts in the behavior graph.
*
*
*
*
* @param createMembersRequest
* @return Result of the CreateMembers operation returned by the service.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ResourceNotFoundException
* The request refers to a nonexistent resource.
* @throws ValidationException
* The request parameters are invalid.
* @throws ServiceQuotaExceededException
* This request cannot be completed for one of the following reasons.
*
* -
*
* The request would cause the number of member accounts in the behavior graph to exceed the maximum
* allowed. A behavior graph cannot have more than 1000 member accounts.
*
*
* -
*
* The request would cause the data rate for the behavior graph to exceed the maximum allowed.
*
*
* -
*
* Detective is unable to verify the data rate for the member account. This is usually because the member
* account is not enrolled in Amazon GuardDuty.
*
*
* @sample AmazonDetective.CreateMembers
* @see AWS API
* Documentation
*/
CreateMembersResult createMembers(CreateMembersRequest createMembersRequest);
/**
*
* Disables the specified behavior graph and queues it to be deleted. This operation removes the graph from each
* member account's list of behavior graphs.
*
*
* DeleteGraph can only be called by the master account for a behavior graph.
*
*
* @param deleteGraphRequest
* @return Result of the DeleteGraph operation returned by the service.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ResourceNotFoundException
* The request refers to a nonexistent resource.
* @throws ValidationException
* The request parameters are invalid.
* @sample AmazonDetective.DeleteGraph
* @see AWS API
* Documentation
*/
DeleteGraphResult deleteGraph(DeleteGraphRequest deleteGraphRequest);
/**
*
* Deletes one or more member accounts from the master account behavior graph. This operation can only be called by
* a Detective master account. That account cannot use DeleteMembers to delete their own account from
* the behavior graph. To disable a behavior graph, the master account uses the DeleteGraph API method.
*
*
* @param deleteMembersRequest
* @return Result of the DeleteMembers operation returned by the service.
* @throws ConflictException
* The request attempted an invalid action.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ResourceNotFoundException
* The request refers to a nonexistent resource.
* @throws ValidationException
* The request parameters are invalid.
* @sample AmazonDetective.DeleteMembers
* @see AWS API
* Documentation
*/
DeleteMembersResult deleteMembers(DeleteMembersRequest deleteMembersRequest);
/**
*
* Removes the member account from the specified behavior graph. This operation can only be called by a member
* account that has the ENABLED status.
*
*
* @param disassociateMembershipRequest
* @return Result of the DisassociateMembership operation returned by the service.
* @throws ConflictException
* The request attempted an invalid action.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ResourceNotFoundException
* The request refers to a nonexistent resource.
* @throws ValidationException
* The request parameters are invalid.
* @sample AmazonDetective.DisassociateMembership
* @see AWS API Documentation
*/
DisassociateMembershipResult disassociateMembership(DisassociateMembershipRequest disassociateMembershipRequest);
/**
*
* Returns the membership details for specified member accounts for a behavior graph.
*
*
* @param getMembersRequest
* @return Result of the GetMembers operation returned by the service.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ResourceNotFoundException
* The request refers to a nonexistent resource.
* @throws ValidationException
* The request parameters are invalid.
* @sample AmazonDetective.GetMembers
* @see AWS API
* Documentation
*/
GetMembersResult getMembers(GetMembersRequest getMembersRequest);
/**
*
* Returns the list of behavior graphs that the calling account is a master of. This operation can only be called by
* a master account.
*
*
* Because an account can currently only be the master of one behavior graph within a Region, the results always
* contain a single graph.
*
*
* @param listGraphsRequest
* @return Result of the ListGraphs operation returned by the service.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ValidationException
* The request parameters are invalid.
* @sample AmazonDetective.ListGraphs
* @see AWS API
* Documentation
*/
ListGraphsResult listGraphs(ListGraphsRequest listGraphsRequest);
/**
*
* Retrieves the list of open and accepted behavior graph invitations for the member account. This operation can
* only be called by a member account.
*
*
* Open invitations are invitations that the member account has not responded to.
*
*
* The results do not include behavior graphs for which the member account declined the invitation. The results also
* do not include behavior graphs that the member account resigned from or was removed from.
*
*
* @param listInvitationsRequest
* @return Result of the ListInvitations operation returned by the service.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ValidationException
* The request parameters are invalid.
* @sample AmazonDetective.ListInvitations
* @see AWS API
* Documentation
*/
ListInvitationsResult listInvitations(ListInvitationsRequest listInvitationsRequest);
/**
*
* Retrieves the list of member accounts for a behavior graph. Does not return member accounts that were removed
* from the behavior graph.
*
*
* @param listMembersRequest
* @return Result of the ListMembers operation returned by the service.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ResourceNotFoundException
* The request refers to a nonexistent resource.
* @throws ValidationException
* The request parameters are invalid.
* @sample AmazonDetective.ListMembers
* @see AWS API
* Documentation
*/
ListMembersResult listMembers(ListMembersRequest listMembersRequest);
/**
*
* Rejects an invitation to contribute the account data to a behavior graph. This operation must be called by a
* member account that has the INVITED status.
*
*
* @param rejectInvitationRequest
* @return Result of the RejectInvitation operation returned by the service.
* @throws ConflictException
* The request attempted an invalid action.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ResourceNotFoundException
* The request refers to a nonexistent resource.
* @throws ValidationException
* The request parameters are invalid.
* @sample AmazonDetective.RejectInvitation
* @see AWS API
* Documentation
*/
RejectInvitationResult rejectInvitation(RejectInvitationRequest rejectInvitationRequest);
/**
*
* Sends a request to enable data ingest for a member account that has a status of
* ACCEPTED_BUT_DISABLED.
*
*
* For valid member accounts, the status is updated as follows.
*
*
* -
*
* If Detective enabled the member account, then the new status is ENABLED.
*
*
* -
*
* If Detective cannot enable the member account, the status remains ACCEPTED_BUT_DISABLED.
*
*
*
*
* @param startMonitoringMemberRequest
* @return Result of the StartMonitoringMember operation returned by the service.
* @throws ConflictException
* The request attempted an invalid action.
* @throws InternalServerException
* The request was valid but failed because of a problem with the service.
* @throws ResourceNotFoundException
* The request refers to a nonexistent resource.
* @throws ServiceQuotaExceededException
* This request cannot be completed for one of the following reasons.
*
* -
*
* The request would cause the number of member accounts in the behavior graph to exceed the maximum
* allowed. A behavior graph cannot have more than 1000 member accounts.
*
*
* -
*
* The request would cause the data rate for the behavior graph to exceed the maximum allowed.
*
*
* -
*
* Detective is unable to verify the data rate for the member account. This is usually because the member
* account is not enrolled in Amazon GuardDuty.
*
*
* @throws ValidationException
* The request parameters are invalid.
* @sample AmazonDetective.StartMonitoringMember
* @see AWS API Documentation
*/
StartMonitoringMemberResult startMonitoringMember(StartMonitoringMemberRequest startMonitoringMemberRequest);
/**
* Shuts down this client object, releasing any resources that might be held open. This is an optional method, and
* callers are not expected to call it, but can if they want to explicitly release any open resources. Once a client
* has been shutdown, it should not be used to make any more requests.
*/
void shutdown();
/**
* Returns additional metadata for a previously executed successful request, typically used for debugging issues
* where a service isn't acting as expected. This data isn't considered part of the result data returned by an
* operation, so it's available through this separate, diagnostic interface.
*
* Response metadata is only cached for a limited period of time, so if you need to access this extra diagnostic
* information for an executed request, you should use this method to retrieve it as soon as possible after
* executing a request.
*
* @param request
* The originally executed request.
*
* @return The response metadata for the specified request, or null if none is available.
*/
ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request);
}