Amazon Detective

• Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
• automatically collects log data from the AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data to easily conduct faster and more efficient security investigations.
• enables customers to view summaries and analytical data associated with CloudTrail logs, VPC Flow Logs, EKS audit logs, Amazon GuardDuty findings, and AWS Security Hub findings.
• provides detailed summaries, analysis, and visualizations of the behaviors and interactions amongst your AWS accounts, EC2 instances, AWS users, roles, and IP addresses.
• maintains up to a year of aggregated data and makes it easily available through a set of visualizations that shows changes in the type and volume of activity over a selected time window, and links those changes to security findings.
• is a Regional service and needs to be enabled on a region-by-region basis. This ensures all data analyzed is regionally based and doesn’t cross AWS regional boundaries.
• does not require Amazon GuardDuty to be enabled. As of Feb 2024, the requirement to have GuardDuty enabled for 48 hours before enabling Detective has been removed.
• is a multi-account service that aggregates data from monitored member accounts under a single administrative account within the same region.
• Multi-account monitoring deployments can be configured in the same way it is configured for administrative and member accounts in Amazon GuardDuty and AWS Security Hub.
• is integrated with AWS Organizations. The organization management account designates a Detective administrator account for the organization.
• has no impact on the performance or availability of the AWS infrastructure since it retrieves the log data and findings directly from the AWS services.
• supports VPC endpoints via AWS PrivateLink, enabling secure API calls to Detective from within a VPC without requiring internet traversal.

Amazon Detective Data Sources

• AWS CloudTrail logs – management events capturing API activity across your AWS accounts.
• Amazon VPC Flow Logs – network traffic data for IP traffic going to and from network interfaces.
• Amazon EKS Audit Logs – Kubernetes audit logs from EKS clusters for container security investigations.
• Amazon GuardDuty findings – threat detection findings including runtime monitoring, malware protection, and extended threat detection.
• AWS Security Hub findings – security posture findings from Security Hub and integrated services.
• Other integrated AWS security services – including Amazon Inspector vulnerability findings.

Amazon Detective Finding Groups

• Finding Groups automatically consolidate multiple related security findings into a single security event.
• Detective detects patterns or relationships among multiple findings that suggest they are related to the same potential security incident.
• Grouping helps in managing and investigating related findings more efficiently by reducing noise and prioritizing findings that present true risk.
• Includes findings from GuardDuty, Security Hub, and Amazon Inspector vulnerability findings.
• Provides interactive visualizations including radial layout and timeline layout views.
• Supports severity-based filtering for findings to help prioritize critical issues.
• Timeline layout includes play button functionality to understand event progression.

Finding Group Summaries (Generative AI)

• Detective automatically generates finding group summaries powered by generative AI.
• Analyzes relationships between findings and affected resources, and summarizes potential threats in natural language.
• Provides a plain language title based on the analysis of the finding group with relevant summarized insights.
• Describes the activity that initiated the event and its impact.
• Accelerates security investigations by providing instant context without manual correlation.

Amazon Detective Investigations

• Detective Investigations is a one-click investigation feature that automatically investigates IAM users and IAM roles for indicators of compromise (IoC).
• Uses machine learning models and threat intelligence to analyze resources for potential security incidents.
• Determines if IAM principals have potentially been compromised or involved in known tactics, techniques, and procedures (TTPs) from the MITRE ATT&CK framework.
• Investigates attack tactics, impossible travel, flagged IP addresses, and finding groups.
• Generates an investigation report highlighting anomalous behavior that indicates potential compromise.
• Can generate up to 500 investigations per month in each AWS Region.
• Detective recommends resources to investigate based on activity in findings and finding groups.

Amazon Detective and Security Lake Integration

• Detective integrates with Amazon Security Lake to query and retrieve raw log data stored in Security Lake.
• Enables deeper analysis with access to more detailed parameters as original evidence.
• Supports log collection from CloudTrail management events, Amazon VPC Flow Logs, and Amazon EKS Audit Logs.
• Supports both OCSF source version 1 (1.0.0-rc.2) and source version 2 (OCSF 1.1.0).
• Allows querying log sources without having to craft queries or leave the Detective console.

Amazon Detective vs GuardDuty

• Amazon GuardDuty is a threat detection service that continuously monitors malicious activity and unauthorized behavior to protect AWS accounts and workloads.
• Amazon Detective simplifies the process of investigating security findings and identifying the root cause. It automatically creates a graph model and provides a unified, interactive view of your resources, users, and the interactions between them over time.
• GuardDuty detects threats; Detective investigates those threats to determine root cause and scope.
• Detective supports GuardDuty findings including Runtime Monitoring (ECS, EKS, EC2), Malware Protection for S3, Lambda Protection, RDS Protection, and Extended Threat Detection (attack sequences).

Amazon Detective Key Features

• Graph Model – constructs a behavior graph using ML, statistical analysis, and graph theory to link security-related data for investigations.
• Interactive Visualizations – provides geolocation-based login attempt views, API call volume analysis, and VPC flow volume tracking.
• Seamless Integration – integrated with GuardDuty, Security Hub, Amazon Inspector, Amazon Security Lake, and AWS Partner security products.
• AWS PrivateLink – supports VPC endpoints for private API access without internet traversal (added Sept 2025).
• Simple Deployment – no software to deploy, agents to install, or data sources to enable manually.
• Entity Profiles – provides profiles for AWS accounts, IAM users, IAM roles, EC2 instances, S3 buckets, EKS clusters, IP addresses, container images, and Kubernetes pods.
• CSV Export – supports exporting data from Summary page and search results in CSV format.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A security team needs to investigate a potential security incident across multiple AWS accounts. They want a service that automatically correlates security findings and provides visualizations of related entities. Which AWS service should they use?
   1. Amazon GuardDuty
   2. AWS Security Hub
   3. Amazon Detective
   4. AWS CloudTrail

   Answer: 3. Amazon Detective automatically creates a graph model that correlates findings across accounts and provides interactive visualizations for security investigations.
2. Which data sources does Amazon Detective automatically ingest? (Select THREE)
   1. AWS CloudTrail logs
   2. Amazon VPC Flow Logs
   3. Amazon S3 access logs
   4. Amazon EKS audit logs
   5. AWS Config rules evaluations

   Answer: 1, 2, 4. Amazon Detective automatically ingests CloudTrail logs, VPC Flow Logs, and EKS audit logs, along with GuardDuty and Security Hub findings.

3. A company uses Amazon Detective and wants to investigate whether an IAM role has been compromised. Which Detective feature provides automated investigation of IAM entities for indicators of compromise?
   1. Finding Groups
   2. Detective Investigations
   3. Behavior Graph
   4. Security Lake Integration

   Answer: 2. Detective Investigations is a one-click feature that automatically investigates IAM users and roles for indicators of compromise (IoC) using the MITRE ATT&CK framework.

4. What is the purpose of Amazon Detective Finding Groups?
   1. To group AWS accounts for multi-account monitoring
   2. To consolidate related security findings that may belong to the same security incident
   3. To organize VPC Flow Logs by security groups
   4. To categorize CloudTrail events by service

   Answer: 2. Finding Groups automatically consolidate multiple related security findings into a single security event, reducing noise and helping prioritize findings that present true risk.

5. Which statement about Amazon Detective is correct? (Select TWO)
   1. It requires Amazon GuardDuty to be enabled for at least 48 hours before activation
   2. It is a Regional service that does not cross AWS regional boundaries
   3. It can maintain up to 5 years of aggregated data
   4. It provides finding group summaries powered by generative AI
   5. It requires manual configuration of data sources

   Answer: 2, 4. Detective is regional and provides GenAI-powered finding group summaries. As of Feb 2024, GuardDuty is no longer required. Detective maintains up to 1 year (not 5) of data. No manual data source configuration is needed.
6. A security analyst wants to access raw log data during an investigation without leaving the Amazon Detective console. Which integration enables this capability?
   1. AWS CloudTrail Lake
   2. Amazon Security Lake
   3. Amazon S3 Select
   4. Amazon Athena

   Answer: 2. Detective integrates with Amazon Security Lake, enabling analysts to query and retrieve raw log data stored in Security Lake directly from the Detective console.

References

Amazon Detective

Amazon Detective Features

Amazon Detective User Guide