AWS Security & Identity Services

Amazon Detective

3 min read
Updated June 23, 2025
3,588 characters

How Amazon Detective Works

Amazon Detective automates the complex work of a security investigation by following a three-step process:

  1. Automated Data Ingestion:

    Detective automatically collects and processes events from multiple data sources without requiring you to enable or configure anything on the sources themselves. Key data sources include:

    • AWS CloudTrail: Captures user activity and API usage.

    • Amazon VPC Flow Logs: Provides information about the IP traffic going to and from network interfaces.

    • Amazon GuardDuty Findings: Ingests findings about potential threats in your environment.

    • It also integrates with AWS Security Hub and Amazon Macie to provide a holistic view.

  2. Build a Behavior Graph:

    Detective uses the ingested data to build and maintain a behavior graph. This is a unified, interactive data model representing all your AWS resources, users, roles, IP addresses, and the interactions between them over time. This graph provides the context needed to understand security events.

  3. Analyze and Visualize for Investigation:

    Detective provides pre-built data aggregations, summaries, and visualizations that allow you to explore the behavior graph. You can select a specific entity (like a user or EC2 instance) and see all its activity, connections to other resources, and how its behavior has changed over time. This helps you to quickly identify the underlying reasons for security findings and determine the root cause.

Core Features & Benefits

  • Simplifies Investigation Workflow: Reduces the time, effort, and expertise needed to investigate security issues.

  • No Agents or Manual Configuration: Detective is a managed service. There are no agents to deploy and no complex configurations to manage. Once enabled, it automatically starts collecting data.

  • Unified, Interactive View: The behavior graph provides rich context and visualizations, helping you see the full story behind a security event instead of just isolated data points.

  • Long-Term Data Retention: Detective maintains up to a year of aggregated data for analysis, allowing you to investigate issues that may have occurred long in the past.

  • Multi-Account Investigation: Detective integrates with AWS Organizations, allowing you to designate a single master security account to view and investigate findings across all member accounts in your organization.

Getting Started with Amazon Detective

  1. Enable Detective: Navigate to the Amazon Detective console and enable the service with a few clicks.

  2. Set Master Account (Optional): If you use AWS Organizations, you can designate a master account. This account will become the "Detective master," and you can invite member accounts to contribute their data to the master account's behavior graph.

  3. Wait for Data Population: Detective will begin ingesting data immediately, but it can take up to 48 hours for the initial data to be processed and for the service to build its initial behavior graph.

  4. Start Investigating: Begin your investigations by searching for a specific entity or by drilling down from a finding in Amazon GuardDuty or AWS Security Hub.

Pricing

  • Pricing Model: Detective is priced based on the volume of data ingested from its sources (AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty findings).

  • Free Trial: All new Detective accounts receive a 30-day free trial to evaluate the service at no cost.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All