SDK for PHP 3.x

Client: Aws\SecurityIR\SecurityIRClient
Service ID: security-ir
Version: 2018-05-10

This page describes the parameters and results for the operations of the Security Incident Response (2018-05-10), and shows how to use the Aws\SecurityIR\SecurityIRClient object to call the described operations. This documentation is specific to the 2018-05-10 API version of the service.

Operation Summary

Each of the following operations can be created from a client using $client->getCommand('CommandName'), where "CommandName" is the name of one of the following operations. Note: a command is a value that encapsulates an operation and the parameters used to create an HTTP request.

You can also create and send a command immediately using the magic methods available on a client object: $client->commandName(/* parameters */). You can send the command asynchronously (returning a promise) by appending the word "Async" to the operation name: $client->commandNameAsync(/* parameters */).

BatchGetMemberAccountDetails ( array $params = [] )
Provides information on whether the supplied account IDs are associated with a membership.
CancelMembership ( array $params = [] )
Cancels an existing membership.
CloseCase ( array $params = [] )
Closes an existing case.
CreateCase ( array $params = [] )
Creates a new case.
CreateCaseComment ( array $params = [] )
Adds a comment to an existing case.
CreateMembership ( array $params = [] )
Creates a new membership.
GetCase ( array $params = [] )
Returns the attributes of a case.
GetCaseAttachmentDownloadUrl ( array $params = [] )
Returns a Pre-Signed URL for uploading attachments into a case.
GetCaseAttachmentUploadUrl ( array $params = [] )
Uploads an attachment to a case.
GetMembership ( array $params = [] )
Returns the attributes of a membership.
ListCaseEdits ( array $params = [] )
Views the case history for edits made to a designated case.
ListCases ( array $params = [] )
Lists all cases the requester has access to.
ListComments ( array $params = [] )
Returns comments for a designated case.
ListMemberships ( array $params = [] )
Returns the memberships that the calling principal can access.
ListTagsForResource ( array $params = [] )
Returns currently configured tags on a resource.
TagResource ( array $params = [] )
Adds a tag(s) to a designated resource.
UntagResource ( array $params = [] )
Removes a tag(s) from a designate resource.
UpdateCase ( array $params = [] )
Updates an existing case.
UpdateCaseComment ( array $params = [] )
Updates an existing case comment.
UpdateCaseStatus ( array $params = [] )
Updates the state transitions for a designated cases.
UpdateMembership ( array $params = [] )
Updates membership configuration.
UpdateResolverType ( array $params = [] )
Updates the resolver type for a case.

Paginators

Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:

ListCaseEdits
ListCases
ListComments
ListMemberships

Operations

BatchGetMemberAccountDetails

$result = $client->batchGetMemberAccountDetails([/* ... */]);
$promise = $client->batchGetMemberAccountDetailsAsync([/* ... */]);

Provides information on whether the supplied account IDs are associated with a membership.

AWS account ID's may appear less than 12 characters and need to be zero-prepended. An example would be 123123123 which is nine digits, and with zero-prepend would be 000123123123. Not zero-prepending to 12 digits could result in errors.

Parameter Syntax

$result = $client->batchGetMemberAccountDetails([
    'accountIds' => ['<string>', ...], // REQUIRED
    'membershipId' => '<string>', // REQUIRED
]);

Parameter Details

Members
accountIds
Required: Yes
Type: Array of strings

Optional element to query the membership relationship status to a provided list of account IDs.

AWS account ID's may appear less than 12 characters and need to be zero-prepended. An example would be 123123123 which is nine digits, and with zero-prepend would be 000123123123. Not zero-prepending to 12 digits could result in errors.

membershipId
Required: Yes
Type: string

Required element used in combination with BatchGetMemberAccountDetails to identify the membership ID to query.

Result Syntax

[
    'errors' => [
        [
            'accountId' => '<string>',
            'error' => '<string>',
            'message' => '<string>',
        ],
        // ...
    ],
    'items' => [
        [
            'accountId' => '<string>',
            'relationshipStatus' => 'Associated|Disassociated|Unassociated',
            'relationshipType' => 'Organization|Unrelated',
        ],
        // ...
    ],
]

Result Details

Members
errors
Type: Array of GetMembershipAccountDetailError structures

The response element providing error messages for requests to GetMembershipAccountDetails.

items
Type: Array of GetMembershipAccountDetailItem structures

The response element providing responses for requests to GetMembershipAccountDetails.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke BatchGetMemberAccountDetails
$result = $client->batchGetMemberAccountDetails([
    'accountIds' => [
        '123412341234',
    ],
    'membershipId' => 'm-abcd1234efgh',
]);

Result syntax:

[
    'items' => [
        [
            'accountId' => '123412341234',
            'relationshipStatus' => 'Associated',
            'relationshipType' => 'Organization',
        ],
    ],
]

CancelMembership

$result = $client->cancelMembership([/* ... */]);
$promise = $client->cancelMembershipAsync([/* ... */]);

Cancels an existing membership.

Parameter Syntax

$result = $client->cancelMembership([
    'membershipId' => '<string>', // REQUIRED
]);

Parameter Details

Members
membershipId
Required: Yes
Type: string

Required element used in combination with CancelMembershipRequest to identify the membership ID to cancel.

Result Syntax

[
    'membershipId' => '<string>',
]

Result Details

Members
membershipId
Required: Yes
Type: string

The response element providing responses for requests to CancelMembershipRequest.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke CancelMembership
$result = $client->cancelMembership([
    'membershipId' => 'm-abcd1234efgh',
]);

Result syntax:

[
    'membershipId' => 'm-abcd1234efgh',
]

CloseCase

$result = $client->closeCase([/* ... */]);
$promise = $client->closeCaseAsync([/* ... */]);

Closes an existing case.

Parameter Syntax

$result = $client->closeCase([
    'caseId' => '<string>', // REQUIRED
]);

Parameter Details

Members
caseId
Required: Yes
Type: string

Required element used in combination with CloseCase to identify the case ID to close.

Result Syntax

[
    'caseStatus' => 'Submitted|Acknowledged|Detection and Analysis|Containment, Eradication and Recovery|Post-incident Activities|Ready to Close|Closed',
    'closedDate' => <DateTime>,
]

Result Details

Members
caseStatus
Type: string

A response element providing responses for requests to CloseCase. This element responds Closed if successful.

closedDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

A response element providing responses for requests to CloseCase. This element responds with the ISO-8601 formatted timestamp of the moment when the case was closed.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke CloseCase
$result = $client->closeCase([
    'caseId' => '8403556009',
]);

Result syntax:

[
    'caseStatus' => 'Closed',
    'closedDate' => ,
]

CreateCase

$result = $client->createCase([/* ... */]);
$promise = $client->createCaseAsync([/* ... */]);

Creates a new case.

Parameter Syntax

$result = $client->createCase([
    'clientToken' => '<string>',
    'description' => '<string>', // REQUIRED
    'engagementType' => 'Security Incident|Investigation', // REQUIRED
    'impactedAccounts' => ['<string>', ...], // REQUIRED
    'impactedAwsRegions' => [
        [
            'region' => 'af-south-1|ap-east-1|ap-east-2|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ap-southeast-5|ap-southeast-7|ca-central-1|ca-west-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|il-central-1|me-central-1|me-south-1|mx-central-1|sa-east-1|us-east-1|us-east-2|us-west-1|us-west-2', // REQUIRED
        ],
        // ...
    ],
    'impactedServices' => ['<string>', ...],
    'reportedIncidentStartDate' => <integer || string || DateTime>, // REQUIRED
    'resolverType' => 'AWS|Self', // REQUIRED
    'tags' => ['<string>', ...],
    'threatActorIpAddresses' => [
        [
            'ipAddress' => '<string>', // REQUIRED
            'userAgent' => '<string>',
        ],
        // ...
    ],
    'title' => '<string>', // REQUIRED
    'watchers' => [ // REQUIRED
        [
            'email' => '<string>', // REQUIRED
            'jobTitle' => '<string>',
            'name' => '<string>',
        ],
        // ...
    ],
]);

Parameter Details

Members
clientToken
Type: string

The clientToken field is an idempotency key used to ensure that repeated attempts for a single action will be ignored by the server during retries. A caller supplied unique ID (typically a UUID) should be provided.

description
Required: Yes
Type: string

Required element used in combination with CreateCase

to provide a description for the new case.

engagementType
Required: Yes
Type: string

Required element used in combination with CreateCase to provide an engagement type for the new cases. Available engagement types include Security Incident | Investigation

impactedAccounts
Required: Yes
Type: Array of strings

Required element used in combination with CreateCase to provide a list of impacted accounts.

AWS account ID's may appear less than 12 characters and need to be zero-prepended. An example would be 123123123 which is nine digits, and with zero-prepend would be 000123123123. Not zero-prepending to 12 digits could result in errors.

impactedAwsRegions
Type: Array of ImpactedAwsRegion structures

An optional element used in combination with CreateCase to provide a list of impacted regions.

impactedServices
Type: Array of strings

An optional element used in combination with CreateCase to provide a list of services impacted.

reportedIncidentStartDate
Required: Yes
Type: timestamp (string|DateTime or anything parsable by strtotime)

Required element used in combination with CreateCase to provide an initial start date for the unauthorized activity.

resolverType
Required: Yes
Type: string

Required element used in combination with CreateCase to identify the resolver type.

tags
Type: Associative array of custom strings keys (TagKey) to strings

An optional element used in combination with CreateCase to add customer specified tags to a case.

threatActorIpAddresses
Type: Array of ThreatActorIp structures

An optional element used in combination with CreateCase to provide a list of suspicious internet protocol addresses associated with unauthorized activity.

title
Required: Yes
Type: string

Required element used in combination with CreateCase to provide a title for the new case.

watchers
Required: Yes
Type: Array of Watcher structures

Required element used in combination with CreateCase to provide a list of entities to receive notifications for case updates.

Result Syntax

[
    'caseId' => '<string>',
]

Result Details

Members
caseId
Required: Yes
Type: string

A response element providing responses for requests to CreateCase. This element responds with the case ID.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke CreateCase
$result = $client->createCase([
    'description' => 'Case description',
    'engagementType' => 'Investigation',
    'impactedAccounts' => [
        '000000000000',
        '111111111111',
    ],
    'impactedAwsRegions' => [
        [
            'region' => 'ap-southeast-1',
        ],
    ],
    'impactedServices' => [
        'Amazon EC2',
        'Amazon EKS',
    ],
    'reportedIncidentStartDate' => ,
    'resolverType' => 'Self',
    'threatActorIpAddresses' => [
        [
            'ipAddress' => '192.168.192.168',
            'userAgent' => 'Browser',
        ],
    ],
    'title' => 'My sample case',
    'watchers' => [
        [
            'name' => 'Alice',
            'email' => 'alice@example.com',
            'jobTitle' => 'CEO',
        ],
        [
            'name' => 'Bob',
            'email' => 'bob@example.com',
            'jobTitle' => 'CFO',
        ],
    ],
]);

CreateCaseComment

$result = $client->createCaseComment([/* ... */]);
$promise = $client->createCaseCommentAsync([/* ... */]);

Adds a comment to an existing case.

Parameter Syntax

$result = $client->createCaseComment([
    'body' => '<string>', // REQUIRED
    'caseId' => '<string>', // REQUIRED
    'clientToken' => '<string>',
]);

Parameter Details

Members
body
Required: Yes
Type: string

Required element used in combination with CreateCaseComment to add content for the new comment.

caseId
Required: Yes
Type: string

Required element used in combination with CreateCaseComment to specify a case ID.

clientToken
Type: string

The clientToken field is an idempotency key used to ensure that repeated attempts for a single action will be ignored by the server during retries. A caller supplied unique ID (typically a UUID) should be provided.

Result Syntax

[
    'commentId' => '<string>',
]

Result Details

Members
commentId
Required: Yes
Type: string

Response element indicating the new comment ID.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke CreateCaseComment
$result = $client->createCaseComment([
    'body' => 'Case comment body.',
    'caseId' => '8403556009',
]);

Result syntax:

[
    'commentId' => '000000',
]

CreateMembership

$result = $client->createMembership([/* ... */]);
$promise = $client->createMembershipAsync([/* ... */]);

Creates a new membership.

Parameter Syntax

$result = $client->createMembership([
    'clientToken' => '<string>',
    'coverEntireOrganization' => true || false,
    'incidentResponseTeam' => [ // REQUIRED
        [
            'email' => '<string>', // REQUIRED
            'jobTitle' => '<string>', // REQUIRED
            'name' => '<string>', // REQUIRED
        ],
        // ...
    ],
    'membershipName' => '<string>', // REQUIRED
    'optInFeatures' => [
        [
            'featureName' => 'Triage', // REQUIRED
            'isEnabled' => true || false, // REQUIRED
        ],
        // ...
    ],
    'tags' => ['<string>', ...],
]);

Parameter Details

Members
clientToken
Type: string

The clientToken field is an idempotency key used to ensure that repeated attempts for a single action will be ignored by the server during retries. A caller supplied unique ID (typically a UUID) should be provided.

coverEntireOrganization
Type: boolean

The coverEntireOrganization parameter is a boolean flag that determines whether the membership should be applied to the entire Amazon Web Services Organization. When set to true, the membership will be created for all accounts within the organization. When set to false, the membership will only be created for specified accounts.

This parameter is optional. If not specified, the default value is false.

  • If set to true: The membership will automatically include all existing and future accounts in the Amazon Web Services Organization.

  • If set to false: The membership will only apply to explicitly specified accounts.

incidentResponseTeam
Required: Yes
Type: Array of IncidentResponder structures

Required element used in combination with CreateMembership to add customer incident response team members and trusted partners to the membership.

membershipName
Required: Yes
Type: string

Required element used in combination with CreateMembership to create a name for the membership.

optInFeatures
Type: Array of OptInFeature structures

Optional element to enable the monitoring and investigation opt-in features for the service.

tags
Type: Associative array of custom strings keys (TagKey) to strings

Optional element for customer configured tags.

Result Syntax

[
    'membershipId' => '<string>',
]

Result Details

Members
membershipId
Required: Yes
Type: string

Response element for CreateMembership providing the newly created membership ID.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke CreateMembership
$result = $client->createMembership([
    'incidentResponseTeam' => [
        [
            'name' => 'Bob Jones',
            'email' => 'bob.jones@gmail.com',
            'jobTitle' => 'Security Responder',
        ],
        [
            'name' => 'Alice',
            'email' => 'alice@example.com',
            'jobTitle' => 'CEO',
        ],
    ],
    'membershipName' => 'Example Membership Name.',
    'optInFeatures' => [
        [
            'featureName' => 'Triage',
            'isEnabled' => 1,
        ],
    ],
]);

Result syntax:

[
    'membershipId' => 'm-abcd1234efgh',
]

GetCase

$result = $client->getCase([/* ... */]);
$promise = $client->getCaseAsync([/* ... */]);

Returns the attributes of a case.

Parameter Syntax

$result = $client->getCase([
    'caseId' => '<string>', // REQUIRED
]);

Parameter Details

Members
caseId
Required: Yes
Type: string

Required element for GetCase to identify the requested case ID.

Result Syntax

[
    'actualIncidentStartDate' => <DateTime>,
    'caseArn' => '<string>',
    'caseAttachments' => [
        [
            'attachmentId' => '<string>',
            'attachmentStatus' => 'Verified|Failed|Pending',
            'createdDate' => <DateTime>,
            'creator' => '<string>',
            'fileName' => '<string>',
        ],
        // ...
    ],
    'caseStatus' => 'Submitted|Acknowledged|Detection and Analysis|Containment, Eradication and Recovery|Post-incident Activities|Ready to Close|Closed',
    'closedDate' => <DateTime>,
    'closureCode' => 'Investigation Completed|Not Resolved|False Positive|Duplicate',
    'createdDate' => <DateTime>,
    'description' => '<string>',
    'engagementType' => 'Security Incident|Investigation',
    'impactedAccounts' => ['<string>', ...],
    'impactedAwsRegions' => [
        [
            'region' => 'af-south-1|ap-east-1|ap-east-2|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ap-southeast-5|ap-southeast-7|ca-central-1|ca-west-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|il-central-1|me-central-1|me-south-1|mx-central-1|sa-east-1|us-east-1|us-east-2|us-west-1|us-west-2',
        ],
        // ...
    ],
    'impactedServices' => ['<string>', ...],
    'lastUpdatedDate' => <DateTime>,
    'pendingAction' => 'Customer|None',
    'reportedIncidentStartDate' => <DateTime>,
    'resolverType' => 'AWS|Self',
    'threatActorIpAddresses' => [
        [
            'ipAddress' => '<string>',
            'userAgent' => '<string>',
        ],
        // ...
    ],
    'title' => '<string>',
    'watchers' => [
        [
            'email' => '<string>',
            'jobTitle' => '<string>',
            'name' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
actualIncidentStartDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

Response element for GetCase that provides the actual incident start date as identified by data analysis during the investigation.

caseArn
Type: string

Response element for GetCase that provides the case ARN

caseAttachments
Type: Array of CaseAttachmentAttributes structures

Response element for GetCase that provides a list of current case attachments.

caseStatus
Type: string

Response element for GetCase that provides the case status. Options for statuses include Submitted | Detection and Analysis | Eradication, Containment and Recovery | Post-Incident Activities | Closed

closedDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

Response element for GetCase that provides the date a specified case was closed.

closureCode
Type: string

Response element for GetCase that provides the summary code for why a case was closed.

createdDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

Response element for GetCase that provides the date the case was created.

description
Type: string

Response element for GetCase that provides contents of the case description.

engagementType
Type: string

Response element for GetCase that provides the engagement type. Options for engagement type include Active Security Event | Investigations

impactedAccounts
Type: Array of strings

Response element for GetCase that provides a list of impacted accounts.

impactedAwsRegions
Type: Array of ImpactedAwsRegion structures

Response element for GetCase that provides the impacted regions.

impactedServices
Type: Array of strings

Response element for GetCase that provides a list of impacted services.

lastUpdatedDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

Response element for GetCase that provides the date a case was last modified.

pendingAction
Type: string

Response element for GetCase that identifies the case is waiting on customer input.

reportedIncidentStartDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

Response element for GetCase that provides the customer provided incident start date.

resolverType
Type: string

Response element for GetCase that provides the current resolver types.

threatActorIpAddresses
Type: Array of ThreatActorIp structures

Response element for GetCase that provides a list of suspicious IP addresses associated with unauthorized activity.

title
Type: string

Response element for GetCase that provides the case title.

watchers
Type: Array of Watcher structures

Response element for GetCase that provides a list of Watchers added to the case.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke GetCase
$result = $client->getCase([
    'caseId' => '8403556009',
]);

Result syntax:

[
    'actualIncidentStartDate' => ,
    'caseArn' => 'arn:aws:security-ir:us-west-1:123456789012:case/1234567890',
    'caseStatus' => 'Submitted',
    'createdDate' => ,
    'description' => 'Case description',
    'engagementType' => 'Investigation',
    'impactedAccounts' => [
        '000000000000',
        '111111111111',
    ],
    'impactedAwsRegions' => [
        [
            'region' => 'ap-southeast-1',
        ],
    ],
    'impactedServices' => [
        'Amazon EC2',
        'Amazon EKS',
    ],
    'lastUpdatedDate' => ,
    'pendingAction' => 'Customer',
    'reportedIncidentStartDate' => ,
    'resolverType' => 'Self',
    'threatActorIpAddresses' => [
        [
            'ipAddress' => '192.168.192.168',
            'userAgent' => 'Browser',
        ],
    ],
    'title' => 'My sample case',
    'watchers' => [
        [
            'name' => 'Alice',
            'email' => 'alice@example.com',
            'jobTitle' => 'CEO',
        ],
        [
            'name' => 'Bob',
            'email' => 'bob@example.com',
            'jobTitle' => 'CFO',
        ],
    ],
]

GetCaseAttachmentDownloadUrl

$result = $client->getCaseAttachmentDownloadUrl([/* ... */]);
$promise = $client->getCaseAttachmentDownloadUrlAsync([/* ... */]);

Returns a Pre-Signed URL for uploading attachments into a case.

Parameter Syntax

$result = $client->getCaseAttachmentDownloadUrl([
    'attachmentId' => '<string>', // REQUIRED
    'caseId' => '<string>', // REQUIRED
]);

Parameter Details

Members
attachmentId
Required: Yes
Type: string

Required element for GetCaseAttachmentDownloadUrl to identify the attachment ID for downloading an attachment.

caseId
Required: Yes
Type: string

Required element for GetCaseAttachmentDownloadUrl to identify the case ID for downloading an attachment from.

Result Syntax

[
    'attachmentPresignedUrl' => '<string>',
]

Result Details

Members
attachmentPresignedUrl
Required: Yes
Type: string

Response element providing the Amazon S3 presigned URL to download an attachment.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke GetCaseAttachmentDownloadUrl
$result = $client->getCaseAttachmentDownloadUrl([
    'attachmentId' => '3C5A6B89-1DEF-4C2D-A5B6-123456789ABC',
    'caseId' => '8403556009',
]);

Result syntax:

[
    'attachmentPresignedUrl' => 'https://presignedurl.com',
]

GetCaseAttachmentUploadUrl

$result = $client->getCaseAttachmentUploadUrl([/* ... */]);
$promise = $client->getCaseAttachmentUploadUrlAsync([/* ... */]);

Uploads an attachment to a case.

Parameter Syntax

$result = $client->getCaseAttachmentUploadUrl([
    'caseId' => '<string>', // REQUIRED
    'clientToken' => '<string>',
    'contentLength' => <integer>, // REQUIRED
    'fileName' => '<string>', // REQUIRED
]);

Parameter Details

Members
caseId
Required: Yes
Type: string

Required element for GetCaseAttachmentUploadUrl to identify the case ID for uploading an attachment.

clientToken
Type: string

The clientToken field is an idempotency key used to ensure that repeated attempts for a single action will be ignored by the server during retries. A caller supplied unique ID (typically a UUID) should be provided.

contentLength
Required: Yes
Type: long (int|float)

Required element for GetCaseAttachmentUploadUrl to identify the size of the file attachment.

fileName
Required: Yes
Type: string

Required element for GetCaseAttachmentUploadUrl to identify the file name of the attachment to upload.

Result Syntax

[
    'attachmentPresignedUrl' => '<string>',
]

Result Details

Members
attachmentPresignedUrl
Required: Yes
Type: string

Response element providing the Amazon S3 presigned URL to upload the attachment.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke GetCaseAttachmentUploadUrl
$result = $client->getCaseAttachmentUploadUrl([
    'caseId' => '8403556009',
    'contentLength' => 1500,
    'fileName' => 'TestFileName',
]);

Result syntax:

[
    'attachmentPresignedUrl' => 'https://presignedurl.com',
]

GetMembership

$result = $client->getMembership([/* ... */]);
$promise = $client->getMembershipAsync([/* ... */]);

Returns the attributes of a membership.

Parameter Syntax

$result = $client->getMembership([
    'membershipId' => '<string>', // REQUIRED
]);

Parameter Details

Members
membershipId
Required: Yes
Type: string

Required element for GetMembership to identify the membership ID to query.

Result Syntax

[
    'accountId' => '<string>',
    'customerType' => 'Standalone|Organization',
    'incidentResponseTeam' => [
        [
            'email' => '<string>',
            'jobTitle' => '<string>',
            'name' => '<string>',
        ],
        // ...
    ],
    'membershipAccountsConfigurations' => [
        'coverEntireOrganization' => true || false,
        'organizationalUnits' => ['<string>', ...],
    ],
    'membershipActivationTimestamp' => <DateTime>,
    'membershipArn' => '<string>',
    'membershipDeactivationTimestamp' => <DateTime>,
    'membershipId' => '<string>',
    'membershipName' => '<string>',
    'membershipStatus' => 'Active|Cancelled|Terminated',
    'numberOfAccountsCovered' => <integer>,
    'optInFeatures' => [
        [
            'featureName' => 'Triage',
            'isEnabled' => true || false,
        ],
        // ...
    ],
    'region' => 'af-south-1|ap-east-1|ap-east-2|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ap-southeast-5|ap-southeast-7|ca-central-1|ca-west-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|il-central-1|me-central-1|me-south-1|mx-central-1|sa-east-1|us-east-1|us-east-2|us-west-1|us-west-2',
]

Result Details

Members
accountId
Type: string

Response element for GetMembership that provides the account configured to manage the membership.

customerType
Type: string

Response element for GetMembership that provides the configured membership type. Options include Standalone | Organizations.

incidentResponseTeam
Type: Array of IncidentResponder structures

Response element for GetMembership that provides the configured membership incident response team members.

membershipAccountsConfigurations

The membershipAccountsConfigurations field contains the configuration details for member accounts within the Amazon Web Services Organizations membership structure.

This field returns a structure containing information about:

  • Account configurations for member accounts

  • Membership settings and preferences

  • Account-level permissions and roles

membershipActivationTimestamp
Type: timestamp (string|DateTime or anything parsable by strtotime)

Response element for GetMembership that provides the configured membership activation timestamp.

membershipArn
Type: string

Response element for GetMembership that provides the membership ARN.

membershipDeactivationTimestamp
Type: timestamp (string|DateTime or anything parsable by strtotime)

Response element for GetMembership that provides the configured membership name deactivation timestamp.

membershipId
Required: Yes
Type: string

Response element for GetMembership that provides the queried membership ID.

membershipName
Type: string

Response element for GetMembership that provides the configured membership name.

membershipStatus
Type: string

Response element for GetMembership that provides the current membership status.

numberOfAccountsCovered
Type: long (int|float)

Response element for GetMembership that provides the number of accounts in the membership.

optInFeatures
Type: Array of OptInFeature structures

Response element for GetMembership that provides the if opt-in features have been enabled.

region
Type: string

Response element for GetMembership that provides the region configured to manage the membership.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke GetMembership
$result = $client->getMembership([
    'membershipId' => 'm-abcd1234efgh',
]);

Result syntax:

[
    'accountId' => '123412341234',
    'customerType' => 'Standalone',
    'incidentResponseTeam' => [
        [
            'name' => 'Bob Jones',
            'email' => 'bob.jones@gmail.com',
            'jobTitle' => 'Security Responder',
        ],
        [
            'name' => 'Alice',
            'email' => 'alice@example.com',
            'jobTitle' => 'CEO',
        ],
    ],
    'membershipActivationTimestamp' => ,
    'membershipArn' => 'arn:aws:security-ir:us-west-1:123456789012:membership/m-abcd1234efgh',
    'membershipDeactivationTimestamp' => ,
    'membershipId' => 'm-abcd1234efgh',
    'membershipName' => 'Example Membership',
    'membershipStatus' => 'Active',
    'numberOfAccountsCovered' => 50,
    'optInFeatures' => [
        [
            'featureName' => 'Triage',
            'isEnabled' => 1,
        ],
    ],
    'region' => 'af-south-1',
]

ListCaseEdits

$result = $client->listCaseEdits([/* ... */]);
$promise = $client->listCaseEditsAsync([/* ... */]);

Views the case history for edits made to a designated case.

Parameter Syntax

$result = $client->listCaseEdits([
    'caseId' => '<string>', // REQUIRED
    'maxResults' => <integer>,
    'nextToken' => '<string>',
]);

Parameter Details

Members
caseId
Required: Yes
Type: string

Required element used with ListCaseEdits to identify the case to query.

maxResults
Type: int

Optional element to identify how many results to obtain. There is a maximum value of 25.

nextToken
Type: string

An optional string that, if supplied, must be copied from the output of a previous call to ListCaseEdits. When provided in this manner, the API fetches the next page of results.

Result Syntax

[
    'items' => [
        [
            'action' => '<string>',
            'eventTimestamp' => <DateTime>,
            'message' => '<string>',
            'principal' => '<string>',
        ],
        // ...
    ],
    'nextToken' => '<string>',
    'total' => <integer>,
]

Result Details

Members
items
Type: Array of CaseEditItem structures

Response element for ListCaseEdits that includes the action, event timestamp, message, and principal for the response.

nextToken
Type: string

An optional string that, if supplied on subsequent calls to ListCaseEdits, allows the API to fetch the next page of results.

total
Type: int

Response element for ListCaseEdits that identifies the total number of edits.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke ListCaseEdits
$result = $client->listCaseEdits([
    'caseId' => '8403556009',
]);

Result syntax:

[
    'items' => [
        [
            'action' => 'Add comment',
            'eventTimestamp' => ,
            'message' => 'Added comment to ask question to responder.',
            'principal' => '00000000000',
        ],
    ],
    'total' => 1,
]

ListCases

$result = $client->listCases([/* ... */]);
$promise = $client->listCasesAsync([/* ... */]);

Lists all cases the requester has access to.

Parameter Syntax

$result = $client->listCases([
    'maxResults' => <integer>,
    'nextToken' => '<string>',
]);

Parameter Details

Members
maxResults
Type: int

Optional element for ListCases to limit the number of responses.

nextToken
Type: string

An optional string that, if supplied, must be copied from the output of a previous call to ListCases. When provided in this manner, the API fetches the next page of results.

Result Syntax

[
    'items' => [
        [
            'caseArn' => '<string>',
            'caseId' => '<string>',
            'caseStatus' => 'Submitted|Acknowledged|Detection and Analysis|Containment, Eradication and Recovery|Post-incident Activities|Ready to Close|Closed',
            'closedDate' => <DateTime>,
            'createdDate' => <DateTime>,
            'engagementType' => 'Security Incident|Investigation',
            'lastUpdatedDate' => <DateTime>,
            'pendingAction' => 'Customer|None',
            'resolverType' => 'AWS|Self',
            'title' => '<string>',
        ],
        // ...
    ],
    'nextToken' => '<string>',
    'total' => <integer>,
]

Result Details

Members
items
Type: Array of ListCasesItem structures

Response element for ListCases that includes caseARN, caseID, caseStatus, closedDate, createdDate, engagementType, lastUpdatedDate, pendingAction, resolverType, and title for each response.

nextToken
Type: string

An optional string that, if supplied on subsequent calls to ListCases, allows the API to fetch the next page of results.

total
Type: long (int|float)

Response element for ListCases providing the total number of responses.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke ListCases
$result = $client->listCases([
    'maxResults' => 10,
]);

Result syntax:

[
    'items' => [
        [
            'caseArn' => 'arn:aws:security-ir:us-west-1:123456789012:case/1234567890',
            'caseId' => '8403556009',
            'caseStatus' => 'Acknowledged',
            'createdDate' => ,
            'engagementType' => 'Security Incident',
            'lastUpdatedDate' => ,
            'pendingAction' => 'None',
            'resolverType' => 'Self',
            'title' => 'Example case title',
        ],
    ],
    'total' => 1,
]

ListComments

$result = $client->listComments([/* ... */]);
$promise = $client->listCommentsAsync([/* ... */]);

Returns comments for a designated case.

Parameter Syntax

$result = $client->listComments([
    'caseId' => '<string>', // REQUIRED
    'maxResults' => <integer>,
    'nextToken' => '<string>',
]);

Parameter Details

Members
caseId
Required: Yes
Type: string

Required element for ListComments to designate the case to query.

maxResults
Type: int

Optional element for ListComments to limit the number of responses.

nextToken
Type: string

An optional string that, if supplied, must be copied from the output of a previous call to ListComments. When provided in this manner, the API fetches the next page of results.

Result Syntax

[
    'items' => [
        [
            'body' => '<string>',
            'commentId' => '<string>',
            'createdDate' => <DateTime>,
            'creator' => '<string>',
            'lastUpdatedBy' => '<string>',
            'lastUpdatedDate' => <DateTime>,
        ],
        // ...
    ],
    'nextToken' => '<string>',
    'total' => <integer>,
]

Result Details

Members
items
Type: Array of ListCommentsItem structures

Response element for ListComments providing the body, commentID, createDate, creator, lastUpdatedBy and lastUpdatedDate for each response.

nextToken
Type: string

An optional string that, if supplied on subsequent calls to ListComments, allows the API to fetch the next page of results.

total
Type: int

Response element for ListComments identifying the number of responses.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke ListComments
$result = $client->listComments([
    'caseId' => '8403556009',
]);

Result syntax:

[
    'items' => [
        [
            'body' => 'Case comment body.',
            'commentId' => '000000',
        ],
    ],
    'total' => 1,
]

ListMemberships

$result = $client->listMemberships([/* ... */]);
$promise = $client->listMembershipsAsync([/* ... */]);

Returns the memberships that the calling principal can access.

Parameter Syntax

$result = $client->listMemberships([
    'maxResults' => <integer>,
    'nextToken' => '<string>',
]);

Parameter Details

Members
maxResults
Type: int

Request element for ListMemberships to limit the number of responses.

nextToken
Type: string

An optional string that, if supplied, must be copied from the output of a previous call to ListMemberships. When provided in this manner, the API fetches the next page of results.

Result Syntax

[
    'items' => [
        [
            'accountId' => '<string>',
            'membershipArn' => '<string>',
            'membershipId' => '<string>',
            'membershipStatus' => 'Active|Cancelled|Terminated',
            'region' => 'af-south-1|ap-east-1|ap-east-2|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ap-southeast-5|ap-southeast-7|ca-central-1|ca-west-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|il-central-1|me-central-1|me-south-1|mx-central-1|sa-east-1|us-east-1|us-east-2|us-west-1|us-west-2',
        ],
        // ...
    ],
    'nextToken' => '<string>',
]

Result Details

Members
items
Type: Array of ListMembershipItem structures

Request element for ListMemberships including the accountID, membershipARN, membershipID, membershipStatus, and region for each response.

nextToken
Type: string

An optional string that, if supplied on subsequent calls to ListMemberships, allows the API to fetch the next page of results.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke ListMemberships
$result = $client->listMemberships([
    'maxResults' => 10,
]);

Result syntax:

[
    'items' => [
        [
            'accountId' => '123123123123',
            'membershipArn' => 'arn:aws:security-ir:us-west-1:123456789012:membership/m-abcd1234efgh',
            'membershipId' => 'm-abcd1234efgh',
            'membershipStatus' => 'Cancelled',
            'region' => 'af-south-1',
        ],
    ],
]

ListTagsForResource

$result = $client->listTagsForResource([/* ... */]);
$promise = $client->listTagsForResourceAsync([/* ... */]);

Returns currently configured tags on a resource.

Parameter Syntax

$result = $client->listTagsForResource([
    'resourceArn' => '<string>', // REQUIRED
]);

Parameter Details

Members
resourceArn
Required: Yes
Type: string

Required element for ListTagsForResource to provide the ARN to identify a specific resource.

Result Syntax

[
    'tags' => ['<string>', ...],
]

Result Details

Members
tags
Required: Yes
Type: Associative array of custom strings keys (TagKey) to strings

Response element for ListTagsForResource providing content for each configured tag.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ResourceNotFoundException:

ThrottlingException:

ConflictException:

InvalidTokenException:

Examples

Example 1: Invoke ListTagsForResource
$result = $client->listTagsForResource([
    'resourceArn' => 'arn:aws:security-ir:us-west-1:123456789012:membership/m-abcd1234efgh',
]);

Result syntax:

[
    'tags' => [
        'key' => 'example-tag-key',
        'value' => 'example-tag-value',
    ],
]

TagResource

$result = $client->tagResource([/* ... */]);
$promise = $client->tagResourceAsync([/* ... */]);

Adds a tag(s) to a designated resource.

Parameter Syntax

$result = $client->tagResource([
    'resourceArn' => '<string>', // REQUIRED
    'tags' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
resourceArn
Required: Yes
Type: string

Required element for TagResource to identify the ARN for the resource to add a tag to.

tags
Required: Yes
Type: Associative array of custom strings keys (TagKey) to strings

Required element for ListTagsForResource to provide the content for a tag.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ResourceNotFoundException:

ThrottlingException:

ConflictException:

InvalidTokenException:

Examples

Example 1: Invoke TagResource
$result = $client->tagResource([
    'resourceArn' => 'arn:aws:security-ir:us-west-1:123456789012:membership/m-abcd1234efgh',
    'tags' => [
        'key' => 'example-tag-key',
        'value' => 'example-tag-value',
    ],
]);

Result syntax:

[
]

UntagResource

$result = $client->untagResource([/* ... */]);
$promise = $client->untagResourceAsync([/* ... */]);

Removes a tag(s) from a designate resource.

Parameter Syntax

$result = $client->untagResource([
    'resourceArn' => '<string>', // REQUIRED
    'tagKeys' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
resourceArn
Required: Yes
Type: string

Required element for UnTagResource to identify the ARN for the resource to remove a tag from.

tagKeys
Required: Yes
Type: Array of strings

Required element for UnTagResource to identify tag to remove.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ResourceNotFoundException:

ThrottlingException:

ConflictException:

InvalidTokenException:

Examples

Example 1: Invoke UntagResource
$result = $client->untagResource([
    'resourceArn' => 'arn:aws:security-ir:us-west-1:123456789012:membership/m-abcd1234efgh',
    'tagKeys' => [
        'example-tag-key',
    ],
]);

UpdateCase

$result = $client->updateCase([/* ... */]);
$promise = $client->updateCaseAsync([/* ... */]);

Updates an existing case.

Parameter Syntax

$result = $client->updateCase([
    'actualIncidentStartDate' => <integer || string || DateTime>,
    'caseId' => '<string>', // REQUIRED
    'description' => '<string>',
    'engagementType' => 'Security Incident|Investigation',
    'impactedAccountsToAdd' => ['<string>', ...],
    'impactedAccountsToDelete' => ['<string>', ...],
    'impactedAwsRegionsToAdd' => [
        [
            'region' => 'af-south-1|ap-east-1|ap-east-2|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ap-southeast-5|ap-southeast-7|ca-central-1|ca-west-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|il-central-1|me-central-1|me-south-1|mx-central-1|sa-east-1|us-east-1|us-east-2|us-west-1|us-west-2', // REQUIRED
        ],
        // ...
    ],
    'impactedAwsRegionsToDelete' => [
        [
            'region' => 'af-south-1|ap-east-1|ap-east-2|ap-northeast-1|ap-northeast-2|ap-northeast-3|ap-south-1|ap-south-2|ap-southeast-1|ap-southeast-2|ap-southeast-3|ap-southeast-4|ap-southeast-5|ap-southeast-7|ca-central-1|ca-west-1|cn-north-1|cn-northwest-1|eu-central-1|eu-central-2|eu-north-1|eu-south-1|eu-south-2|eu-west-1|eu-west-2|eu-west-3|il-central-1|me-central-1|me-south-1|mx-central-1|sa-east-1|us-east-1|us-east-2|us-west-1|us-west-2', // REQUIRED
        ],
        // ...
    ],
    'impactedServicesToAdd' => ['<string>', ...],
    'impactedServicesToDelete' => ['<string>', ...],
    'reportedIncidentStartDate' => <integer || string || DateTime>,
    'threatActorIpAddressesToAdd' => [
        [
            'ipAddress' => '<string>', // REQUIRED
            'userAgent' => '<string>',
        ],
        // ...
    ],
    'threatActorIpAddressesToDelete' => [
        [
            'ipAddress' => '<string>', // REQUIRED
            'userAgent' => '<string>',
        ],
        // ...
    ],
    'title' => '<string>',
    'watchersToAdd' => [
        [
            'email' => '<string>', // REQUIRED
            'jobTitle' => '<string>',
            'name' => '<string>',
        ],
        // ...
    ],
    'watchersToDelete' => [
        [
            'email' => '<string>', // REQUIRED
            'jobTitle' => '<string>',
            'name' => '<string>',
        ],
        // ...
    ],
]);

Parameter Details

Members
actualIncidentStartDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

Optional element for UpdateCase to provide content for the incident start date field.

caseId
Required: Yes
Type: string

Required element for UpdateCase to identify the case ID for updates.

description
Type: string

Optional element for UpdateCase to provide content for the description field.

engagementType
Type: string

Optional element for UpdateCase to provide content for the engagement type field. Available engagement types include Security Incident | Investigation.

impactedAccountsToAdd
Type: Array of strings

Optional element for UpdateCase to provide content to add accounts impacted.

AWS account ID's may appear less than 12 characters and need to be zero-prepended. An example would be 123123123 which is nine digits, and with zero-prepend would be 000123123123. Not zero-prepending to 12 digits could result in errors.

impactedAccountsToDelete
Type: Array of strings

Optional element for UpdateCase to provide content to add accounts impacted.

AWS account ID's may appear less than 12 characters and need to be zero-prepended. An example would be 123123123 which is nine digits, and with zero-prepend would be 000123123123. Not zero-prepending to 12 digits could result in errors.

impactedAwsRegionsToAdd
Type: Array of ImpactedAwsRegion structures

Optional element for UpdateCase to provide content to add regions impacted.

impactedAwsRegionsToDelete
Type: Array of ImpactedAwsRegion structures

Optional element for UpdateCase to provide content to remove regions impacted.

impactedServicesToAdd
Type: Array of strings

Optional element for UpdateCase to provide content to add services impacted.

impactedServicesToDelete
Type: Array of strings

Optional element for UpdateCase to provide content to remove services impacted.

reportedIncidentStartDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

Optional element for UpdateCase to provide content for the customer reported incident start date field.

threatActorIpAddressesToAdd
Type: Array of ThreatActorIp structures

Optional element for UpdateCase to provide content to add additional suspicious IP addresses related to a case.

threatActorIpAddressesToDelete
Type: Array of ThreatActorIp structures

Optional element for UpdateCase to provide content to remove suspicious IP addresses from a case.

title
Type: string

Optional element for UpdateCase to provide content for the title field.

watchersToAdd
Type: Array of Watcher structures

Optional element for UpdateCase to provide content to add additional watchers to a case.

watchersToDelete
Type: Array of Watcher structures

Optional element for UpdateCase to provide content to remove existing watchers from a case.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke UpdateCase
$result = $client->updateCase([
    'actualIncidentStartDate' => ,
    'caseId' => '8403556009',
    'description' => 'Case description',
    'engagementType' => 'Investigation',
    'impactedAccountsToAdd' => [
        '000000000000',
    ],
    'impactedAccountsToDelete' => [
        '111111111111',
    ],
    'impactedAwsRegionsToAdd' => [
        [
            'region' => 'ap-southeast-1',
        ],
    ],
    'impactedAwsRegionsToDelete' => [
        [
            'region' => 'us-east-1',
        ],
    ],
    'impactedServicesToAdd' => [
        'Amazon EC2',
    ],
    'impactedServicesToDelete' => [
        'Amazon EKS',
    ],
    'reportedIncidentStartDate' => ,
    'threatActorIpAddressesToAdd' => [
        [
            'ipAddress' => '190.160.190.160',
            'userAgent' => 'Browser',
        ],
    ],
    'threatActorIpAddressesToDelete' => [
        [
            'ipAddress' => '192.168.192.168',
            'userAgent' => 'Browser',
        ],
    ],
    'title' => 'My sample case',
    'watchersToAdd' => [
        [
            'name' => 'Same',
            'email' => 'Sam@example.com',
            'jobTitle' => 'CEO',
        ],
    ],
    'watchersToDelete' => [
        [
            'name' => 'Bob',
            'email' => 'bob@example.com',
            'jobTitle' => 'CFO',
        ],
    ],
]);

Result syntax:

[
]

UpdateCaseComment

$result = $client->updateCaseComment([/* ... */]);
$promise = $client->updateCaseCommentAsync([/* ... */]);

Updates an existing case comment.

Parameter Syntax

$result = $client->updateCaseComment([
    'body' => '<string>', // REQUIRED
    'caseId' => '<string>', // REQUIRED
    'commentId' => '<string>', // REQUIRED
]);

Parameter Details

Members
body
Required: Yes
Type: string

Required element for UpdateCaseComment to identify the content for the comment to be updated.

caseId
Required: Yes
Type: string

Required element for UpdateCaseComment to identify the case ID containing the comment to be updated.

commentId
Required: Yes
Type: string

Required element for UpdateCaseComment to identify the case ID to be updated.

Result Syntax

[
    'body' => '<string>',
    'commentId' => '<string>',
]

Result Details

Members
body
Type: string

Response element for UpdateCaseComment providing the updated comment content.

commentId
Required: Yes
Type: string

Response element for UpdateCaseComment providing the updated comment ID.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke UpdateCaseComment
$result = $client->updateCaseComment([
    'body' => 'Updated case comment.',
    'caseId' => '8403556009',
    'commentId' => '000000',
]);

Result syntax:

[
    'body' => 'Updated case comment.',
    'commentId' => '000000',
]

UpdateCaseStatus

$result = $client->updateCaseStatus([/* ... */]);
$promise = $client->updateCaseStatusAsync([/* ... */]);

Updates the state transitions for a designated cases.

Self-managed: the following states are available for self-managed cases.

  • Submitted → Detection and Analysis

  • Detection and Analysis → Containment, Eradication, and Recovery

  • Detection and Analysis → Post-incident Activities

  • Containment, Eradication, and Recovery → Detection and Analysis

  • Containment, Eradication, and Recovery → Post-incident Activities

  • Post-incident Activities → Containment, Eradication, and Recovery

  • Post-incident Activities → Detection and Analysis

  • Any → Closed

AWS supported: You must use the CloseCase API to close.

Parameter Syntax

$result = $client->updateCaseStatus([
    'caseId' => '<string>', // REQUIRED
    'caseStatus' => 'Submitted|Detection and Analysis|Containment, Eradication and Recovery|Post-incident Activities', // REQUIRED
]);

Parameter Details

Members
caseId
Required: Yes
Type: string

Required element for UpdateCaseStatus to identify the case to update.

caseStatus
Required: Yes
Type: string

Required element for UpdateCaseStatus to identify the status for a case. Options include Submitted | Detection and Analysis | Containment, Eradication and Recovery | Post-incident Activities.

Result Syntax

[
    'caseStatus' => 'Submitted|Detection and Analysis|Containment, Eradication and Recovery|Post-incident Activities',
]

Result Details

Members
caseStatus
Type: string

Response element for UpdateCaseStatus showing the newly configured status.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke UpdateCaseStatus
$result = $client->updateCaseStatus([
    'caseId' => '8403556009',
    'caseStatus' => 'Post-incident Activities',
]);

Result syntax:

[
    'caseStatus' => 'Post-incident Activities',
]

UpdateMembership

$result = $client->updateMembership([/* ... */]);
$promise = $client->updateMembershipAsync([/* ... */]);

Updates membership configuration.

Parameter Syntax

$result = $client->updateMembership([
    'incidentResponseTeam' => [
        [
            'email' => '<string>', // REQUIRED
            'jobTitle' => '<string>', // REQUIRED
            'name' => '<string>', // REQUIRED
        ],
        // ...
    ],
    'membershipAccountsConfigurationsUpdate' => [
        'coverEntireOrganization' => true || false,
        'organizationalUnitsToAdd' => ['<string>', ...],
        'organizationalUnitsToRemove' => ['<string>', ...],
    ],
    'membershipId' => '<string>', // REQUIRED
    'membershipName' => '<string>',
    'optInFeatures' => [
        [
            'featureName' => 'Triage', // REQUIRED
            'isEnabled' => true || false, // REQUIRED
        ],
        // ...
    ],
    'undoMembershipCancellation' => true || false,
]);

Parameter Details

Members
incidentResponseTeam
Type: Array of IncidentResponder structures

Optional element for UpdateMembership to update the membership name.

membershipAccountsConfigurationsUpdate

The membershipAccountsConfigurationsUpdate field in the UpdateMembershipRequest structure allows you to update the configuration settings for accounts within a membership.

This field is optional and contains a structure of type MembershipAccountsConfigurationsUpdate that specifies the updated account configurations for the membership.

membershipId
Required: Yes
Type: string

Required element for UpdateMembership to identify the membership to update.

membershipName
Type: string

Optional element for UpdateMembership to update the membership name.

optInFeatures
Type: Array of OptInFeature structures

Optional element for UpdateMembership to enable or disable opt-in features for the service.

undoMembershipCancellation
Type: boolean

The undoMembershipCancellation parameter is a boolean flag that indicates whether to reverse a previously requested membership cancellation. When set to true, this will revoke the cancellation request and maintain the membership status.

This parameter is optional and can be used in scenarios where you need to restore a membership that was marked for cancellation but hasn't been fully terminated yet.

  • If set to true, the cancellation request will be revoked

  • If set to false the service will throw a ValidationException.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke UpdateMembership
$result = $client->updateMembership([
    'incidentResponseTeam' => [
        [
            'name' => 'Bob Jones',
            'email' => 'bob.jones@gmail.com',
            'jobTitle' => 'Security Responder',
        ],
        [
            'name' => 'Alice',
            'email' => 'alice@example.com',
            'jobTitle' => 'CEO',
        ],
    ],
    'membershipId' => 'm-abcd1234efgh',
    'membershipName' => 'New membership name',
    'optInFeatures' => [
        [
            'featureName' => 'Triage',
            'isEnabled' => 1,
        ],
    ],
]);

Result syntax:

[
]

UpdateResolverType

$result = $client->updateResolverType([/* ... */]);
$promise = $client->updateResolverTypeAsync([/* ... */]);

Updates the resolver type for a case.

This is a one-way action and cannot be reversed.

Parameter Syntax

$result = $client->updateResolverType([
    'caseId' => '<string>', // REQUIRED
    'resolverType' => 'AWS|Self', // REQUIRED
]);

Parameter Details

Members
caseId
Required: Yes
Type: string

Required element for UpdateResolverType to identify the case to update.

resolverType
Required: Yes
Type: string

Required element for UpdateResolverType to identify the new resolver.

Result Syntax

[
    'caseId' => '<string>',
    'caseStatus' => 'Submitted|Acknowledged|Detection and Analysis|Containment, Eradication and Recovery|Post-incident Activities|Ready to Close|Closed',
    'resolverType' => 'AWS|Self',
]

Result Details

Members
caseId
Required: Yes
Type: string

Response element for UpdateResolver identifying the case ID being updated.

caseStatus
Type: string

Response element for UpdateResolver identifying the current status of the case.

resolverType
Type: string

Response element for UpdateResolver identifying the current resolver of the case.

Errors

ServiceQuotaExceededException:

AccessDeniedException:

ValidationException:

SecurityIncidentResponseNotActiveException:

InternalServerException:

ThrottlingException:

ConflictException:

ResourceNotFoundException:

InvalidTokenException:

Examples

Example 1: Invoke UpdateResolverType
$result = $client->updateResolverType([
    'caseId' => '8403556009',
    'resolverType' => 'AWS',
]);

Result syntax:

[
    'caseId' => '8403556009',
    'caseStatus' => 'Detection and Analysis',
    'resolverType' => 'AWS',
]

Shapes

AccessDeniedException

Description

Members
message
Required: Yes
Type: string

The ID of the resource which lead to the access denial.

CaseAttachmentAttributes

Description

Members
attachmentId
Required: Yes
Type: string

attachmentStatus
Required: Yes
Type: string

createdDate
Required: Yes
Type: timestamp (string|DateTime or anything parsable by strtotime)

creator
Required: Yes
Type: string

fileName
Required: Yes
Type: string

CaseEditItem

Description

Members
action
Type: string

eventTimestamp
Type: timestamp (string|DateTime or anything parsable by strtotime)

message
Type: string

principal
Type: string

ConflictException

Description

Members
message
Required: Yes
Type: string

The exception message.

resourceId
Required: Yes
Type: string

The ID of the conflicting resource.

resourceType
Required: Yes
Type: string

The type of the conflicting resource.

GetMembershipAccountDetailError

Description

Members
accountId
Required: Yes
Type: string

error
Required: Yes
Type: string

message
Required: Yes
Type: string

GetMembershipAccountDetailItem

Description

Members
accountId
Type: string

relationshipStatus
Type: string

relationshipType
Type: string

ImpactedAwsRegion

Description

Members
region
Required: Yes
Type: string

IncidentResponder

Description

Members
email
Required: Yes
Type: string

jobTitle
Required: Yes
Type: string

name
Required: Yes
Type: string

InternalServerException

Description

Members
message
Required: Yes
Type: string

The exception message.

retryAfterSeconds
Type: int

The number of seconds after which to retry the request.

InvalidTokenException

Description

Members
message
Required: Yes
Type: string

The exception message.

ListCasesItem

Description

Members
caseArn
Type: string

caseId
Required: Yes
Type: string

caseStatus
Type: string

closedDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

createdDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

engagementType
Type: string

lastUpdatedDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

pendingAction
Type: string

resolverType
Type: string

title
Type: string

ListCommentsItem

Description

Members
body
Type: string

commentId
Required: Yes
Type: string

createdDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

creator
Type: string

lastUpdatedBy
Type: string

lastUpdatedDate
Type: timestamp (string|DateTime or anything parsable by strtotime)

ListMembershipItem

Description

Members
accountId
Type: string

membershipArn
Type: string

membershipId
Required: Yes
Type: string

membershipStatus
Type: string

region
Type: string

MembershipAccountsConfigurations

Description

The MembershipAccountsConfigurations structure defines the configuration settings for managing membership accounts withinAmazon Web Services.

This structure contains settings that determine how member accounts are configured and managed within your organization, including:

  • Account configuration preferences

  • Membership validation rules

  • Account access settings

You can use this structure to define and maintain standardized configurations across multiple member accounts in your organization.

Members
coverEntireOrganization
Type: boolean

The coverEntireOrganization field is a boolean value that determines whether the membership configuration applies to all accounts within an Amazon Web Services Organization.

When set to true, the configuration will be applied across all accounts in the organization. When set to false, the configuration will only apply to specifically designated accounts under the AWS Organizational Units specificied.

organizationalUnits
Type: Array of strings

A list of organizational unit IDs that follow the pattern ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}. These IDs represent the organizational units within an Amazon Web Services Organizations structure that are covered by the membership.

Each organizational unit ID in the list must:

  • Begin with the prefix 'ou-'

  • Contain between 4 and 32 alphanumeric characters in the first segment

  • Contain between 8 and 32 alphanumeric characters in the second segment

MembershipAccountsConfigurationsUpdate

Description

The MembershipAccountsConfigurationsUpdatestructure represents the configuration updates for member accounts within an Amazon Web Services organization.

This structure is used to modify existing account configurations and settings for members in the organization. When applying updates, ensure all required fields are properly specified to maintain account consistency.

Key considerations when using this structure:

  • All configuration changes are validated before being applied

  • Updates are processed asynchronously in the background

  • Configuration changes may take several minutes to propagate across all affected accounts

Members
coverEntireOrganization
Type: boolean

The coverEntireOrganization field is a boolean value that determines whether the membership configuration should be applied across the entire Amazon Web Services Organization.

When set to true, the configuration will be applied to all accounts within the organization. When set to false, the configuration will only apply to specifically designated accounts.

organizationalUnitsToAdd
Type: Array of strings

A list of organizational unit IDs to add to the membership configuration. Each organizational unit ID must match the pattern ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}.

The list must contain between 1 and 5 organizational unit IDs.

organizationalUnitsToRemove
Type: Array of strings

A list of organizational unit IDs to remove from the membership configuration. Each organizational unit ID must match the pattern ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}.

The list must contain between 1 and 5 organizational unit IDs per invocation of the API request.

OptInFeature

Description

Members
featureName
Required: Yes
Type: string

isEnabled
Required: Yes
Type: boolean

ResourceNotFoundException

Description

Members
message
Required: Yes
Type: string

The exception message.

SecurityIncidentResponseNotActiveException

Description

Members
message
Required: Yes
Type: string

The exception message.

ServiceQuotaExceededException

Description

Members
message
Required: Yes
Type: string

The exception message.

quotaCode
Required: Yes
Type: string

The code of the quota.

resourceId
Required: Yes
Type: string

The ID of the requested resource which lead to the service quota exception.

resourceType
Required: Yes
Type: string

The type of the requested resource which lead to the service quota exception.

serviceCode
Required: Yes
Type: string

The service code of the quota.

ThreatActorIp

Description

Members
ipAddress
Required: Yes
Type: string

userAgent
Type: string

ThrottlingException

Description

Members
message
Required: Yes
Type: string

The exception message.

quotaCode
Type: string

The quota code of the exception.

retryAfterSeconds
Type: int

The number of seconds after which to retry the request.

serviceCode
Type: string

The service code of the exception.

ValidationException

Description

Members
fieldList
Type: Array of ValidationExceptionField structures

The fields which lead to the exception.

message
Required: Yes
Type: string

The exception message.

reason
Required: Yes
Type: string

The reason for the exception.

ValidationExceptionField

Description

Members
message
Required: Yes
Type: string

name
Required: Yes
Type: string

Watcher

Description

Members
email
Required: Yes
Type: string

jobTitle
Type: string

name
Type: string