AWSGlossary

Amazon Detective: What It Is and When to Use It

Definition

Amazon Detective is a security service that simplifies the process of investigating and identifying the root cause of potential security issues or suspicious activities. It automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to create a model that allows for faster and more efficient security investigations.

How It Works

Amazon Detective works by ingesting and analyzing time-based event data from multiple sources, including AWS CloudTrail logs, Amazon Virtual Private Cloud (VPC) Flow Logs, Amazon GuardDuty findings, AWS Security Hub findings, and Amazon Elastic Kubernetes Service (EKS) audit logs. You do not need to enable or configure these data sources manually; Detective ingests them via independent streams, which does not impact your existing configurations or increase costs for those services.

The core of Detective is the behavior graph, a unified, interactive model of your resources, users, and the interactions between them over time. This graph model is built using machine learning and is continuously updated as new data becomes available. It allows security analysts to visualize complex relationships and disparate activities—such as anomalous API calls or suspicious network traffic—to understand the story behind a security finding. By providing pre-built aggregations and summaries, Detective eliminates the need for security teams to manually collect and correlate logs, significantly shortening investigation times.

Key Features and Limits

  • Automatic Data Collection: Detective automatically ingests and processes log data from all enabled accounts without requiring manual configuration.
  • Behavior Graph Visualization: Provides an interactive graph model to explore relationships between resources and activities, helping to quickly identify the root cause of security findings.
  • Finding Groups: Consolidates related GuardDuty findings and anomalous activities into a single security event, allowing analysts to investigate an entire incident rather than individual alerts.
  • Multi-Account Management: Aggregates data from up to 1,200 member accounts into a single administrator account within the same AWS Region, providing a centralized view for investigations.
  • Data Retention: Detective maintains up to one year of aggregated data for analysis, allowing for long-term historical investigation.
  • Integration with Security Services: Seamlessly integrates with Amazon GuardDuty, AWS Security Hub, and other AWS security services, allowing you to pivot directly from a finding to an in-depth investigation in Detective.
  • Service Quotas: Amazon Detective is a regional service and must be enabled in each desired AWS Region. It has a data ingestion limit; if a behavior graph's data volume exceeds 15 TB per day, Detective stops ingesting data.

Common Use Cases

  • Triage Security Findings: Quickly investigate alerts from Amazon GuardDuty or AWS Security Hub to determine their nature and extent, distinguishing real threats from false positives.
  • Incident Response and Investigation: When a security event is detected, use Detective's visualizations to analyze the scope of the incident, identify all affected resources, and understand the sequence of actions performed by an attacker.
  • Threat Hunting: Proactively search for suspicious patterns and anomalous behaviors that may not have triggered a specific alert. For example, an analyst can investigate all activities associated with a suspicious IP address over the past year.
  • Investigating Compromised IAM Principals: Use the 'Detective Investigation' feature to analyze IAM users and roles for indicators of compromise (IoCs) and determine if they are involved in a security incident.

Pricing Model

Amazon Detective is priced based on the volume of data ingested from its various sources, such as AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty findings. The cost is calculated per Gigabyte (GB) ingested per account, per Region, per month. There are no upfront costs, and you do not pay for the data storage or the analysis itself—only for the data ingestion.

AWS offers a 30-day free trial for new Amazon Detective accounts, which provides access to the full feature set. During the trial, you can view projected costs based on your usage to help forecast future expenses.

Pros and Cons

Pros:

  • Accelerates Investigations: Drastically reduces the time and effort required to investigate security findings by automating log collection and correlation.
  • Simplifies Complexity: Translates terabytes of raw log data into clear, interactive visualizations that are easy for security analysts to understand.
  • Deep Integration: Works seamlessly with other AWS security services like GuardDuty and Security Hub, creating an efficient workflow from detection to investigation.
  • No Agents or Manual Setup: As a fully managed service, there is no software to deploy or log sources to configure manually.

Cons:

  • Regional Service: Must be enabled and managed separately in each AWS Region where you operate workloads.
  • Cost: Pricing is based on data volume, which can become significant in environments with very high levels of activity and log generation.
  • Reactive, Not Proactive: Detective is an investigation tool, not a prevention or detection tool. It helps you understand what happened after a potential threat has been identified by another service like GuardDuty.
  • Depends on Other Services: Its effectiveness is directly tied to the findings generated by services like GuardDuty. Enabling GuardDuty is a prerequisite.

Comparison with Alternatives

  • Amazon GuardDuty: GuardDuty is a threat detection service that identifies malicious or unauthorized behavior. Detective is a threat investigation service that helps you analyze the findings that GuardDuty generates. GuardDuty tells you that something suspicious happened, while Detective helps you understand the why, how, and what behind it.
  • AWS Security Hub: Security Hub is a service for security posture management that aggregates, organizes, and prioritizes security findings from various AWS services and third-party products. It provides a single pane of glass for all your security alerts. Detective is the tool you use to dive deep into the high-priority findings aggregated by Security Hub to perform a root cause analysis.

Exam Relevance

Amazon Detective is a key topic for security-focused AWS certifications, particularly the AWS Certified Security - Specialty (SCS-C02). It also appears on the AWS Certified Solutions Architect - Associate (SAA-C03) and Professional (SAP-C02) exams in the context of the Security and Incident Response domains.

Examinees should know:

  • The core purpose of Detective: to analyze, investigate, and identify the root cause of security findings (post-detection).
  • Its primary data sources: CloudTrail, VPC Flow Logs, EKS audit logs, and findings from GuardDuty and Security Hub.
  • The relationship between Detective, GuardDuty, and Security Hub: GuardDuty detects, Security Hub aggregates, and Detective investigates.
  • Key concepts like the behavior graph and its multi-account, regional nature.

Frequently Asked Questions

Q: What data sources does Amazon Detective use?

A: Amazon Detective automatically collects and processes data from several sources, including AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon GuardDuty findings, AWS Security Hub findings from integrated services, and Amazon EKS audit logs.

Q: How long does Amazon Detective store data?

A: Amazon Detective retains up to a full year of aggregated historical data in its behavior graph, allowing security teams to investigate incidents that may have occurred over a long period.

Q: Is Amazon Detective a regional or global service?

A: Amazon Detective is a regional service. It must be enabled in each AWS Region where you want to investigate security findings. All data collected and analyzed by Detective remains within the region where it was generated.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/23/2026 / Updated: 5/23/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

AWS Firewall Manager: Simplify Security Policy Management

AWS Firewall Manager centrally manages firewall rules and security policies across your AWS Organization. Ensure consistent enforcement and compliance. Learn how it works.

KMS Envelope Encryption: How It Works & When to Use It

KMS Envelope Encryption encrypts data with a DEK, then encrypts the DEK with a KMS key. Learn its two-tiered approach for secure, efficient data protection.

IAM Condition Keys: Fine-Grained Access Control Explained

IAM Condition Keys are key-value pairs in IAM policies for context-aware access control. Learn how they restrict permissions and when to use them.

IAM Policy Evaluation Logic: How It Works & When to Use It

Understand AWS IAM Policy Evaluation Logic: the process for allowing or denying resource access. Learn how it synthesizes policies for authorization decisions. See examples.

Resource-Based vs Identity-Based Policies: How to Use Them

Understand AWS IAM identity-based vs resource-based policies. Learn what they are, how they differ, and when to use each for effective AWS security. See examples.

View all Security terms →