AWS Security & Identity
Detective
Investigate security findings using automatically collected log data and graph analysis
Amazon Detective automatically collects log data from CloudTrail, VPC Flow Logs, GuardDuty findings, and EKS audit logs, builds a graph model of the relationships between AWS entities, and provides a visual investigation interface for security analysts. When GuardDuty surfaces a finding, Detective answers the "why" - is this anomalous? what else has this entity done? - without requiring manual log analysis.
How Detective Builds Its Investigation Graph
Detective continuously ingests data and constructs a behavior graph - a time-series model of relationships between AWS resources, IP addresses, user agents, and identities. This graph is retained for up to one year and powers the interactive investigation UI.
| Data source | What it captures for the graph |
|---|---|
| CloudTrail | API call patterns per IAM entity, timing, source IPs, user agents, error rates |
| VPC Flow Logs | Network connections between resources, external IP communications, port usage |
| GuardDuty findings | Threat signals that become investigation starting points |
| EKS audit logs | Kubernetes API calls, pod lifecycle, RBAC events |
Detective requires GuardDuty to be enabled first. It is designed as an investigation layer on top of GuardDuty's detection layer. The workflow is: GuardDuty detects a finding, analyst clicks "Investigate with Detective", Detective shows the behavior context around that finding.
Detective Investigation Capabilities
Detective provides purpose-built investigation workflows centered on entities (IAM roles, users, EC2 instances, IP addresses) and findings.
| Investigation scenario | What Detective shows |
|---|---|
| Compromised IAM role | All API calls made by the role over time, new/unusual API call types, source IPs compared to baseline |
| Suspicious EC2 instance | All inbound/outbound connections, which IPs connected, traffic volume vs baseline, associated processes |
| GuardDuty finding context | Was this API call truly anomalous for this entity? How does it compare to the prior 90-day baseline? |
| Lateral movement | Entity profile shows all assume-role calls, mapping which roles were chained |
| External IP analysis | Geolocation, ASN, which of your resources communicated with this IP, and how often |
The most powerful feature is the "new behavior" indicator: Detective shows whether an API call pattern (e.g., calling S3:GetObject at 3am from a new IP) deviates from the 90-day behavioral baseline for that entity. This dramatically reduces false-positive investigation time.
Detective vs GuardDuty vs CloudTrail for Investigations
| Service | Role in security operations | When to use |
|---|---|---|
| GuardDuty | Detection - finds the needle in the haystack | Continuous, always-on threat detection |
| CloudTrail + Athena | Raw evidence - exact record of what happened | Deep forensic queries, legal evidence, long-term retention |
| Detective | Context and visualization - why is this suspicious? | Fast investigation of GuardDuty findings without writing SQL queries |
| Security Hub | Aggregation - all findings in one place | SOC dashboard, compliance posture, finding workflow management |
Detective is not a replacement for CloudTrail - it does not store the raw API call data independently and retains behavior graph data for only up to 1 year. For long-term retention and compliance, CloudTrail logs in S3 remain essential. Detective is a speed tool for analysts, not an archival system.
Detective Pricing and Multi-Account Setup
Detective pricing is based on the volume of data ingested into the behavior graph per month (GB). Costs vary by data source.
| Data source | Price |
|---|---|
| CloudTrail management events | $2.00 per GB ingested per month |
| VPC Flow Logs | $1.00 per GB ingested per month |
| GuardDuty findings | Free |
| EKS audit logs | $1.00 per GB ingested per month |
# Enable Detective and create a behavior graph
aws detective create-graph
# Invite member accounts to the graph
aws detective create-members \
--graph-arn arn:aws:detective:us-east-1:123456789012:graph:xxx \
--accounts AccountId=123456789012,EmailAddress=admin@example.com
# Accept the invitation from a member account
aws detective accept-invitation \
--graph-arn arn:aws:detective:us-east-1:999999999999:graph:yyyInterview Focus Points
- 1What is the difference between GuardDuty and Amazon Detective? How do they complement each other?
- 2How does Detective's "new behavior" feature help reduce false-positive investigation time?
- 3Walk me through how you would use Detective to investigate a suspected compromised IAM role.
- 4What data sources does Detective use to build its behavior graph?
- 5What is the retention period for Detective's behavior graph and what implications does that have for long-term forensics?
- 6How does Detective integrate with GuardDuty findings?
- 7When would you use Detective vs querying CloudTrail logs in Athena for an investigation?