All APIs
Amazon Detective logo

Amazon Detective

Amazon Detective

UpOpen Sourcecloudby Amazon Web Services62· JavaScript· MIT

Amazon Detective API automatically analyzes AWS logs (VPC Flow Logs, CloudTrail, GuardDuty) for security investigations — visualizes attack chains.

Visit site ↗Source ↗Health checked 12h ago
Use it when

Auto-ingests multiple AWS log types into a graph

Watch for

Requires GuardDuty enabled first

First check

EnableOrganizationAdminAccount (if using Organizations) → CreateGraph. Detective begins auto-ingesting logs.

Auth
CORS
No
HTTPS
Yes
Signup
?
Latency
43 ms
Protocol
REST
Pricing
Stars
62

Uptime · 30-day window

Probes: 30Uptime: 100%Avg latency: 48ms

GitHub activity

62JavaScriptMIT17 open issuesLast commit 155d ago
01

About this API

Detective is AWS's security investigation tool. After a security alert (GuardDuty says "this IAM role is behaving anomalously"), the next step is SOC investigation — what happened, where did the attacker enter, which resources were affected, what operations did the user perform. Traditional approach: manually search CloudTrail, VPC Flow Logs, sift through raw logs. Detective auto-ingests these logs into a graph database, correlating: "this IAM role was called 200 times by this IP in the past hour, accessing these S3 buckets, downloading these objects". Visualizes everything — investigation time drops from hours to minutes. Relationships: GuardDuty discovers, Security Hub aggregates, Detective investigates.

02

What you can build

  • 1Investigate incidents after GuardDuty alerts
  • 2Audit anomalous user behavior
  • 3Lateral movement analysis after intrusion
  • 4Forensic investigations for compliance
03

Strengths & limitations

Strengths

  • Auto-ingests multiple AWS log types into a graph
  • ML-based anomaly baseline detection
  • Visualizes attack chains, saving investigation time

Limitations

  • Requires GuardDuty enabled first
  • Charged by ingested data volume — costly for large accounts
04

Getting started

EnableOrganizationAdminAccount (if using Organizations) → CreateGraph. Detective begins auto-ingesting logs.

05

FAQ

Does Detective require GuardDuty to be enabled first?+

Yes. Detective is designed to work with GuardDuty and cannot currently be used standalone.

06

Technical details

CORS: NoHTTPS: YesSignup: ?Open source: Yes
Auth type
unknown
Pricing
unknown
Protocols
REST
SDKs
python, javascript, go, java, csharp
Response time
43 ms
Last health check
6/26/2026, 6:22:15 AM
07

Tags

awsdetectivesecurityforensicsinvestigation
08

More from Amazon Web Services

View all from Amazon Web Services →
Access Analyzer
62

AWS IAM Access Analyzer API analyzes IAM resource policies for over-privileged access or external access — proactively surfaces security risks.

Alexa For Business
62

Alexa for Business helps you use Alexa in your organization.

Amazon API Gateway
62

Amazon API Gateway helps developers deliver robust, secure, and scalable mobile and web application back ends.

Amazon AppConfig
62

Use AppConfig, a capability of Amazon Web Services Systems Manager, to create, manage, and quickly deploy application configurations.

Amazon Appflow
62

Welcome to the Amazon AppFlow API reference.

Amazon AppIntegrations Service
62

The Amazon AppIntegrations service enables you to configure and reuse connections to external applications.

Amazon AppStream
62

Amazon AppStream 2.0 API Reference.

Amazon Athena
62

Amazon Athena is an interactive query service that lets you use standard SQL to analyze data directly in Amazon S3.