Amazon Detective

Name: Amazon Detective API
Brand: Amazon Detective
Availability: InStock

★ Only Publicly Available SpecSecurityThreat Detectionhmac24 EndpointsREST

For Agents

Administer Amazon Detective behavior graphs, manage member accounts, and configure organization-wide enrolment for security investigations.

Quickstart

Get started with Amazon Detective in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"create a Detective behavior graph"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Amazon Detective API.

Create and decommission behavior graphs in a region with the CreateGraph and DeleteGraph operations

Invite, accept, decline, and remove member accounts to scope investigation data sources

List behavior graphs an account is invited to or already a member of, including their data source health

Configure organization-wide Detective administration via enableAdminAccount and describeOrganizationConfiguration

GET STARTED

Start building with Amazon Detective API

Explore with Jentic

View OpenAPI Spec

Use for: Enable Amazon Detective in a new AWS region, Invite a member account into an existing behavior graph, List all behavior graphs this account is a member of, Check whether a member account has accepted its Detective invitation

Not supported: Does not handle log ingestion, threat detection rule authoring, or remediation actions — use for Detective behavior graph administration and membership management only.

Jentic publishes the only available OpenAPI specification for Amazon Detective, keeping it validated and agent-ready.

Jentic publishes the only available OpenAPI specification for Amazon Detective, keeping it validated and agent-ready. Amazon Detective uses machine learning and graph analytics to help security teams investigate potential security issues across AWS workloads. The API manages behavior graphs that aggregate CloudTrail, VPC flow logs, and GuardDuty findings from a set of member accounts, and lets the administrator account invite, accept, and remove members, configure organization-wide enrolment, and apply tags. Use it when an agent or workflow needs to programmatically administer Detective behavior graphs across many AWS accounts.

Use Cases

Patterns agents use Amazon Detective API for, with concrete tasks.

★ Stand Up a Multi-Account Behavior Graph

Enable Amazon Detective in the administrator account and add member accounts so investigation data from CloudTrail, VPC flow logs, and GuardDuty is consolidated into one behavior graph per region. CreateGraph creates the graph, CreateMembers sends invitations, and ListMembers tracks which accounts have accepted, giving security teams a single view of activity across the organization.

Call CreateGraph in the target region, then CreateMembers with a list of member account IDs and email addresses, and poll ListMembers until status reflects acceptance.

Automate Organization-Wide Onboarding

When using AWS Organizations, designate a delegated administrator for Detective via enableAdminAccount and configure auto-enrolment of new organization accounts. New accounts joining the organization are automatically added as members of the organization behavior graph without manual invitations, ensuring coverage as the AWS estate grows.

Call enableAdminAccount with the delegated admin AccountId, then updateOrganizationConfiguration to enable AutoEnable for new organization accounts.

Lifecycle Membership Cleanup

Remove decommissioned AWS accounts from active behavior graphs to keep investigation scope accurate. DeleteMembers removes members from the administrator side, and an invited account can call removeMembership to leave a graph it has joined. This keeps Detective coverage aligned with the live account inventory.

Call DeleteMembers on the administrator graph with the AccountIds of decommissioned accounts and verify they no longer appear in ListMembers.

Agent-Driven Detective Administration

An AI agent connected via Jentic can programmatically respond to organizational changes — enabling Detective in a new region, adding fresh member accounts, or rotating the delegated administrator — without a human navigating the AWS console. Jentic returns the matching Detective operation and schema so the agent can compose the correct sequence of calls and check status between steps.

Search Jentic for 'invite a Detective member account', load the CreateMembers schema, execute it with the new account list, then call ListMembers to confirm enrolment.

Key Endpoints

24 endpoints — jentic publishes the only available openapi specification for amazon detective, keeping it validated and agent-ready.

METHOD

PATH

DESCRIPTION

POST

/graph

Create a Detective behavior graph

POST

/graph/members

Invite member accounts to a graph

POST

/graph/members/get

Get details for member accounts

POST

/graph/members/removal

Remove member accounts from a graph

POST

/graph/removal

Delete a behavior graph

PUT

/invitation

Accept or decline an invitation

POST

/orgs/enableAdminAccount

Designate the Detective delegated admin

POST

/graphs/list

List graphs the account belongs to

POST

/graph

Create a Detective behavior graph

POST

/graph/members

Invite member accounts to a graph

POST

/graph/members/get

Get details for member accounts

POST

/graph/members/removal

Remove member accounts from a graph

POST

/graph/removal

Delete a behavior graph

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

AWS access keys for Detective are stored encrypted in the Jentic vault. Jentic signs each Detective request with SigV4 at execution time and the agent only sees scoped, short-lived access — raw access keys never enter the agent's context.

Intent-based discovery

Agents search by intent (e.g., 'invite a Detective member account' or 'enable Detective in a region') and Jentic returns the matching Detective operation with its input schema, so the agent can call the right endpoint without browsing AWS documentation.

Time to first call

Direct Detective integration: 1-3 days for SigV4 signing, IAM policy scoping, and multi-account orchestration. Through Jentic: under 1 hour — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Amazon GuardDuty

Threat detection service whose findings flow into Detective behavior graphs.

Choose GuardDuty when the agent needs to generate or list findings; Detective consumes those findings for investigation.

Complementary

AWS Security Hub

Aggregates security findings from across AWS for centralized review.

Choose Security Hub when the agent needs a consolidated findings dashboard rather than graph-based investigation.

Complementary

AWS CloudTrail

Source of API event logs that Detective ingests into behavior graphs.

Choose CloudTrail when the agent needs to query raw API event logs directly rather than the Detective-derived graph view.

FAQs

Specific to using Amazon Detective API through Jentic.

Why is there no official OpenAPI spec for Amazon Detective?

AWS does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call Amazon Detective via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.

What authentication does the Amazon Detective API use?

Detective uses AWS Signature Version 4 (HMAC) signing with an AWS access key ID and secret access key. Through Jentic, those credentials live encrypted in the Jentic vault and are injected into signed requests at execution time, so the agent never sees the raw secret access key.

Can I add member accounts to a behavior graph through the API?

Yes. The administrator account calls CreateMembers (POST /graph/members) with the AccountIds and email addresses to invite. Each invited account then accepts via PUT /invitation, after which its CloudTrail, VPC flow, and GuardDuty data feeds the behavior graph.

What are the rate limits for the Amazon Detective API?

Detective shares standard AWS service quotas, which are managed per account and region rather than published as fixed per-second limits in the spec. Treat bulk member invitations as throttle-prone and back off on ThrottlingException responses.

How do I enable Detective in a new region through Jentic?

Search Jentic for 'create a Detective behavior graph', load the CreateGraph operation schema, then execute it. Run pip install jentic, set JENTIC_AGENT_API_KEY, and use the async search and execute pattern.

Is the behavior graph data ingested by this API?

No. Detective ingests CloudTrail, VPC flow logs, and GuardDuty findings automatically once member accounts are enrolled. This API administers the graph itself — membership, organization configuration, and tags — not the underlying log streams.