Amazon Detective

A service that automatically collects and analyzes VPC Flow Logs, CloudTrail, and GuardDuty findings to streamline root cause investigation of security incidents

Overview

Amazon Detective is a service that automatically collects log data from your AWS environment, builds a graph model, and assists with security incident investigation and root cause analysis. It integrates VPC Flow Logs, CloudTrail management events, GuardDuty findings, and EKS audit logs for unified analysis, visualizing relationships between IP addresses, IAM principals, and AWS accounts. Machine learning-based baseline analysis detects deviations from normal behavior patterns and helps prioritize investigations.

Revolutionizing Security Investigation with Graph Models

Traditional security investigations required querying CloudTrail logs with Athena, separately analyzing VPC Flow Logs, and manually correlating them with GuardDuty findings. Detective automatically ingests these data sources and builds a graph database of relationships between entities (IP addresses, IAM users, roles, EC2 instances, etc.). For example, investigations like "Which EC2 instance performed AssumeRole for the IAM role that made suspicious API calls?" and "What IP addresses was that instance communicating with?" can be executed intuitively as graph traversals. Data ingestion and analysis are fully automated, requiring no user-written queries or index design. Detective retains up to 12 months of data, enabling correlation analysis with historical events. Azure Sentinel provides a similar security analytics platform, but Detective offers deeper integration with AWS-native data sources and the simplicity of setup in just a few clicks.

Investigation Workflow from GuardDuty Findings

The most common usage pattern for Detective is deep-dive investigation of security threats detected by GuardDuty. Selecting a finding in the GuardDuty console and clicking "Investigate in Detective" navigates directly to the related entity's profile page. The profile page displays the entity's historical API call patterns, network traffic volume, and geographic access source distribution in timelines and graphs. Machine learning baseline comparison enables immediate identification of anomalies such as "a role that normally only accesses from the Tokyo Region suddenly executed massive S3 GetObject calls from the Virginia Region." Related books on cloud security investigation (Amazon) cover systematic approaches to incident response. Investigation results can be displayed as Finding Groups that aggregate related findings, visualizing that multiple GuardDuty alerts actually belong to the same attack campaign.

Multi-Account Operations and Cost Optimization in Practice

In Organizations environments, a recommended configuration has the Detective administrator account aggregate and analyze data from member accounts. Similar to GuardDuty, you can set up a delegated administrator, enabling centralized security investigation across the entire organization from a dedicated security team account. When new member accounts are added, data ingestion starts automatically, minimizing operational overhead. On the cost side, Detective pricing is usage-based on ingested data volume. In environments with large VPC Flow Logs and CloudTrail data volumes, costs can increase, so consider excluding unnecessary data sources or adjusting VPC Flow Logs sampling settings. A 30-day free trial is provided, allowing you to verify actual data volumes and costs during the trial period before committing to production deployment. Detective also integrates with Security Hub, enabling workflows that navigate directly from Security Hub findings to Detective's investigation screen. Combining GuardDuty, Security Hub, and Detective completes the detection, prioritization, and investigation security operations flow.

ShareXB!