Amazon Detective¶

What Is This Service?¶

Amazon Detective is AWS’s security investigation and root-cause analysis service that automatically collects, correlates, and visualizes security data to accelerate incident response.

It helps answer:

What happened?
Why did it happen?
What else was affected?

Mental model:
Detective = graph-based security investigation + attack relationship analysis.

Detective does not detect threats.

It helps investigate and explain findings.

Why It Matters for Security¶

Detection without investigation creates alert fatigue.

Detective enables teams to:

Investigate incidents faster
Correlate findings automatically
Reduce manual log analysis
Identify blast radius
Perform threat hunting
Understand attacker paths

Security outcomes:

Faster MTTR
Better root-cause analysis
Reduced investigation effort
Improved security operations
Faster incident containment

Typical use cases:

GuardDuty triage
Security Hub investigation
Credential compromise analysis
Data exfiltration investigation
Lateral movement analysis
Cross-account security analysis

Core Concepts¶

Behavior Graph (MOST TESTED)¶

Detective automatically builds a:

Behavior Graph

Graph contains relationships between:

Accounts
Users
Roles
Resources
Findings
API activity
Network activity
IP addresses

Purpose:

Understand security context.

Example:

IAM User
 ↓
AssumeRole
 ↓
EC2
 ↓
S3 Access
 ↓
Data Movement

Behavior graph is regional.

Investigation¶

Interactive incident analysis.

Supports:

Timeline analysis
Relationship exploration
Root-cause investigation

Starting points:

Finding
Resource
User
Account
IP

Entities¶

Security objects represented in the graph.

Examples:

IAM users
Roles
EC2
S3
VPC
EKS
Accounts
IPs

Findings Groups¶

Related observations grouped automatically.

Useful for:

Incident context
Correlation
Threat enrichment

Historical Analysis¶

Detective supports:

Historical comparison
Behavior analysis
Attack reconstruction

Not intended for continuous monitoring.

Important Integrations¶

Amazon GuardDuty (VERY HIGH VALUE)¶

Primary integration.

Flow:

GuardDuty
 ↓
Detective
 ↓
Investigation

GuardDuty:

Detect

Detective:

Investigate

Classic exam pairing.

GuardDuty Prerequisite (HIGH VALUE)¶

Detective requires:

GuardDuty enabled

Behavior graph requires historical data.

Exam nuance:

New region:

Enable GuardDuty first

Detective requires time to establish investigation context.

Typical exam symptom:

Detective unavailable immediately after region enablement

AWS Security Hub¶

Supports:

Central findings
Investigation pivots

Pattern:

Security Hub
 ↓
Detective
 ↓
Root Cause

Amazon Macie (Advanced Integration)¶

Detective correlates:

GuardDuty findings
Macie findings

Example:

Compromised Role
 ↓
Sensitive S3 Access
 ↓
Potential Exfiltration

Benefit:

Single investigation view.

AWS Organizations¶

Supports:

Delegated administrator
Multi-account investigation

Centralized security operations.

AWS CloudTrail¶

Primary investigation source.

Provides:

API history
User activity
Access patterns

Amazon VPC¶

Network evidence source.

Provides:

Connection behavior
Traffic relationships

Amazon EKS¶

Supports:

Kubernetes investigation

Modern exam scenario.

IAM¶

Investigates:

Access behavior
Role assumptions
Credential usage

Security Features¶

Automatic Data Aggregation¶

Collects:

Findings
Context
Relationships

No ETL required.

Relationship Analysis¶

Builds:

Identity
 ↓
Activity
 ↓
Resource
 ↓
Impact

Purpose:

Reduce investigation time.

Independent Data Collection (HIGH VALUE)¶

Detective collects some telemetry directly.

Examples:

VPC activity
EKS activity

Exam trap:

You do NOT need:

VPC Flow Logs → CloudWatch

or

EKS Audit Logs → CloudWatch

for Detective investigation capability.

Detective collects required metadata independently.

Visual Investigation¶

Provides:

Graph views
Entity links
Timeline analysis

Historical Investigation¶

Supports investigation over retained graph data.

Multi-Account Visibility¶

Supports centralized investigation.

Advanced Security and Operational Concepts¶

Detective Does NOT Generate Findings (MOST TESTED)¶

Wrong assumption:

Detective detects attacks

Correct:

GuardDuty → Detection
Detective → Investigation

Exam elimination rule:

Need alerts?

→ GuardDuty

Need investigation?

→ Detective

Detective Is Not a SIEM¶

Not designed for:

Arbitrary search
Long-term archival
Dashboard analytics

Use:

Security Lake
S3
SIEM platforms

1-Year Retention Rule (HIGH VALUE)¶

Detective stores:

Behavior Graph
+
Investigation Data

Retention:

365 days

Exam trap:

Need:

3 years
7 years
compliance retention

Use:

S3
Security Lake
CloudTrail archival

Not Detective.

Investigation Workflow¶

Typical architecture:

GuardDuty
 ↓
Security Hub
 ↓
Detective
 ↓
Remediation

Blast Radius Analysis¶

Example:

Compromised User
 ↓
Assume Role
 ↓
EC2
 ↓
S3
 ↓
Data Access

Detective visualizes spread.

IAM Compromise Analysis¶

Example:

Finding
 ↓
User Timeline
 ↓
API Calls
 ↓
Affected Resources

Delegated Administration¶

Organizations supports:

Management Account
 ↓
Security Account
 ↓
Detective Admin

Central investigation.

Detective Does NOT Replace CloudTrail¶

CloudTrail:

Raw records

Detective:

Context and relationships

Architecture Example¶

flowchart LR

GuardDuty[GuardDuty]

SecurityHub[Security Hub]

Macie[Macie]

CloudTrail[CloudTrail]

VPC[VPC Metadata]

EKS[EKS Activity]

Detective[Amazon Detective]

Analyst[Security Analyst]

GuardDuty --> Detective

SecurityHub --> Detective

Macie --> Detective

CloudTrail --> Detective

VPC --> Detective

EKS --> Detective

Detective --> Analyst

Workflow(s)¶

Threat Investigation Flow¶

sequenceDiagram

participant GuardDuty
participant SecurityHub
participant Detective
participant Analyst

GuardDuty->>SecurityHub: Finding

SecurityHub->>Detective: Investigate

Detective->>Detective: Correlate activity

Detective-->>Analyst: Behavior graph

Data Exfiltration Investigation¶

sequenceDiagram

participant GuardDuty
participant Macie
participant Detective
participant Analyst

GuardDuty->>Detective: Credential anomaly

Macie->>Detective: Sensitive S3 access

Detective->>Detective: Correlate entities

Detective-->>Analyst: Exfiltration path

Root Cause Investigation¶

sequenceDiagram

participant Analyst
participant Detective
participant CloudTrail

Analyst->>Detective: Investigate user

Detective->>CloudTrail: Build timeline

Detective-->>Analyst: Relationships + history

Comparisons¶

Service	Role	Detects	Investigates	Long-Term Storage
Amazon Detective	Investigation	No	Yes	365 Days
GuardDuty	Threat detection	Yes	No	No
Security Hub	Findings aggregation	Partial	Partial	No
Security Lake	Security data lake	No	No	Yes
CloudTrail	Event history	No	No	Yes

Common Exam Traps¶

Detective does not generate findings.
GuardDuty detects, Detective investigates.
Detective requires GuardDuty.
Behavior graph retention is 365 days.
Detective is not SIEM.
Long retention belongs in S3/Security Lake.
Detective correlates Macie findings.
VPC Flow Logs configuration not required.
CloudTrail stores events; Detective builds context.
Behavior graph is regional.
Multi-account investigations supported.
Detective accelerates MTTR.

5-Second Recall¶

Detective = investigation
GuardDuty = detection
Behavior Graph = core feature
GuardDuty prerequisite
365-day retention
Macie correlation
Not SIEM

Quick Revision Notes¶

Graph-based investigation platform
Investigates GuardDuty findings
Correlates CloudTrail + Macie
Supports multi-account security
Behavior graph retained 365 days
Independent telemetry ingestion
Root-cause focused
Not log archival
Accelerates incident response
Security Hub integrates directly