AWS Explained
    Security, Identity & Compliance
    🔐Security, Identity & Compliance

    Amazon Detective

    Analyze and investigate potential security issues using machine learning

    Detective is like a security investigator who helps you understand what happened during a security incident. When GuardDuty alerts you about suspicious activity (like a compromised EC2 instance), Detective helps you investigate: what did the instance do? Who accessed it? What data was touched? Detective automatically collects and analyzes logs from CloudTrail, VPC Flow Logs, and GuardDuty, building a graph of relationships and activities. It's like having a detective who pieces together clues from security camera footage, access logs, and witness statements to tell you the full story of what happened.

    Detective uses machine learning to analyze and visualize security data from CloudTrail, VPC Flow Logs, and GuardDuty findings. It builds a behavior graph showing relationships between AWS resources, IP addresses, and user activities over time. Detective automatically baselines normal behavior and highlights anomalies.

    Key Capabilities

    Key features: visualizations (interactive graphs showing resource relationships), finding groups (related findings grouped together), and time-based analysis (see activity before, during, and after an incident). Detective integrates with GuardDuty and Security Hub; click a finding to investigate in Detective.

    Gotchas & Constraints

    Gotcha #1: Detective requires 48 hours of data before it's useful; it needs time to establish baselines. Gotcha #2: Detective charges based on data volume ingested; costs scale with CloudTrail and VPC Flow Logs volume. Constraints: Maximum 1,200 accounts per behavior graph, data is retained for 1 year, and Detective is region-specific (must enable in each region).

    A company receives a GuardDuty alert: 'EC2 instance i-1234 is communicating with a known malicious IP.' The security team needs to investigate: is this a real threat? What data was accessed? They open the finding in Detective, which shows a visualization of the instance's activities. Detective reveals the instance was launched 2 hours ago by an IAM user (not typical; instances are usually launched by Auto Scaling). The user's credentials were used from an unusual IP address (Russia, not their office in California). The instance accessed 50 S3 buckets and downloaded 10GB of data. Detective shows the user's other activities; they also created IAM users and modified security groups. The security team concludes the IAM user's credentials were compromised. They revoke the credentials, terminate the instance, rotate all secrets, and enable MFA for all users. Detective's visualization made the investigation take 30 minutes instead of 4 hours of manual log analysis.

    The Result

    rapid incident response, clear understanding of attack scope, and actionable remediation steps.

    Official AWS Documentation