All APIs
Amazon Detective logo

Amazon Detective

Amazon Detective

UpOpen Sourcecloudby Amazon Web Services62· JavaScript· MIT

Amazon Detective API automatically analyzes AWS logs (VPC Flow Logs, CloudTrail, GuardDuty) for security investigations — visualizes attack chains.

Visit site ↗Source ↗Health checked 9h ago
Use it when

Auto-ingests multiple AWS log types into a graph

Watch for

Requires GuardDuty enabled first

First check

EnableOrganizationAdminAccount (if using Organizations) → CreateGraph. Detective begins auto-ingesting logs.

Auth
CORS
No
HTTPS
Yes
Signup
?
Latency
17 ms
Protocol
REST
Pricing
Stars
62

Uptime · 30-day window

Probes: 1Uptime: 100%Avg latency: 17ms

GitHub activity

62JavaScriptMIT17 open issuesLast commit 110d ago
01

About this API

Detective is AWS's security investigation tool. After a security alert (GuardDuty says "this IAM role is behaving anomalously"), the next step is SOC investigation — what happened, where did the attacker enter, which resources were affected, what operations did the user perform. Traditional approach: manually search CloudTrail, VPC Flow Logs, sift through raw logs. Detective auto-ingests these logs into a graph database, correlating: "this IAM role was called 200 times by this IP in the past hour, accessing these S3 buckets, downloading these objects". Visualizes everything — investigation time drops from hours to minutes. Relationships: GuardDuty discovers, Security Hub aggregates, Detective investigates.

02

What you can build

  • 1Investigate incidents after GuardDuty alerts
  • 2Audit anomalous user behavior
  • 3Lateral movement analysis after intrusion
  • 4Forensic investigations for compliance
03

Strengths & limitations

Strengths

  • Auto-ingests multiple AWS log types into a graph
  • ML-based anomaly baseline detection
  • Visualizes attack chains, saving investigation time

Limitations

  • Requires GuardDuty enabled first
  • Charged by ingested data volume — costly for large accounts
04

Example request

Generic template — replace <endpoint> with the real path from the docs.
curl https://github.com/mermade/aws2openapi/<endpoint>
05

Getting started

EnableOrganizationAdminAccount (if using Organizations) → CreateGraph. Detective begins auto-ingesting logs.

06

FAQ

Does Detective require GuardDuty to be enabled first?+

Yes. Detective is designed to work with GuardDuty and cannot currently be used standalone.

07

Technical details

CORS: NoHTTPS: YesSignup: ?Open source: Yes
Auth type
unknown
Pricing
unknown
Protocols
REST
SDKs
python, javascript, go, java, csharp
Response time
17 ms
Last health check
5/12/2026, 7:36:33 AM
08

Tags

awsdetectivesecurityforensicsinvestigation
09

More from Amazon Web Services

View all from Amazon Web Services →
Access Analyzer
62

AWS IAM Access Analyzer API analyzes IAM resource policies for over-privileged access or external access — proactively surfaces security risks.

Amazon Chime
62

Amazon Chime SDK API embeds real-time audio/video calling and chat into apps (meetings, messaging, PSTN calls).

Amazon CloudFront
62

Amazon CloudFront is the AWS CDN and edge service — accelerates static and dynamic content delivery, a standard for web performance.

Amazon CloudSearch
62

Amazon CloudSearch is AWS's managed search service (gradually superseded by OpenSearch Service).

Amazon CloudWatch Application Insights
62

CloudWatch Application Insights API auto-detects application problems — intelligently identifies anomalies (slow SQL queries, memory leaks), reducing manual alarm configuration.

Amazon Cognito Identity
62

AWS Cognito Identity Pools API issues temporary AWS credentials to frontend apps — identity federation, guest users, direct AWS resource access.

Amazon Cognito Identity Provider
62

Amazon Cognito User Pools deliver managed user signup, login, password reset, and MFA for applications.

Amazon Connect Contact Lens
62

Amazon Connect Contact Lens API uses AI to analyze Amazon Connect calls in real time — sentiment, keywords, compliance detection, auto-summary.