This chapter covers Amazon Detective, a security investigation service that automatically analyzes billions of events to help you identify the root cause of security findings. For the CLF-C02 exam, this objective falls under Domain 2: Security and Compliance (approximately 25% of the exam), specifically objective 2.3: 'Explain the security services and features of AWS.' While Detective is not as heavily tested as GuardDuty or Config, it appears as a 'related service' in questions about incident response and investigation. Understanding Detective's role, how it ingests data, and its integration with other services is essential for answering scenario-based questions correctly.
Jump to a section
Imagine you run a large office building with hundreds of rooms, each with its own security camera, badge reader, and door sensor. Every day, thousands of people move through the building. One morning, you discover that a confidential file is missing from a locked room. You need to find out who took it, when, and how they got in. You have mountains of logs: who swiped into which door, when cameras captured motion, and which computers were accessed. But the logs are scattered across different systems, each with its own format and time zone. Manually correlating them would take weeks. Amazon Detective is like hiring a team of expert detectives who instantly ingest all your security camera feeds, badge logs, and sensor data, then automatically stitch together a timeline of events. They don't just show you raw footage; they highlight the suspicious patterns—like someone tailgating through a door or accessing a room they never visit. They build a 'case file' for each incident, showing the exact sequence of actions, the identities involved, and the resources touched. In the cloud, Detective does the same with AWS CloudTrail, VPC Flow Logs, and GuardDuty findings—ingesting them, analyzing relationships, and producing visual graphs that let you click from a finding to the full attack path. It saves your security team weeks of manual work by automating the detection and investigation of security incidents.
What is Amazon Detective and What Problem Does It Solve?
Amazon Detective is a fully managed security investigation service that makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. It automatically collects log data from AWS resources—specifically AWS CloudTrail, Amazon VPC Flow Logs, and Amazon GuardDuty findings—and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables faster and more efficient security investigations.
The core problem Detective solves is the 'needle in a haystack' issue in security operations. When a security alert fires (e.g., from GuardDuty), security analysts traditionally have to manually query multiple log sources, correlate timestamps, IP addresses, and user identities across different tools, and piece together the sequence of events. This manual process is time-consuming, error-prone, and often takes hours or days. Detective automates this correlation by pre-processing and linking the data into a 'behavior graph' that shows relationships between AWS resources, users, and network traffic over time. This allows analysts to visually trace the path of an incident from the initial finding to the root cause.
How Amazon Detective Works – The Mechanism
Detective operates by continuously ingesting and storing three primary data sources:
AWS CloudTrail – Records API calls made by users, roles, or AWS services. Detective uses management events (control plane) and, optionally, data events (e.g., S3 object-level operations).
Amazon VPC Flow Logs – Captures information about IP traffic going to and from network interfaces in a VPC. This includes source/destination IP, ports, protocol, and packet counts.
Amazon GuardDuty Findings – Security findings generated by GuardDuty, such as suspicious API calls, unusual network patterns, or compromised instances.
Once Detective is enabled in a region, it automatically starts ingesting these logs (if they are already enabled in the account; if not, Detective will not create them—it only consumes existing logs). The service then processes the data through its analytical engine:
Ingestion and Normalization: Detective ingests raw log data from CloudTrail, VPC Flow Logs, and GuardDuty. It normalizes the data into a common schema, resolving differences in timestamps, formats, and identifiers.
Behavior Graph Construction: Using graph theory, Detective builds a 'behavior graph' that represents entities (e.g., IAM users, EC2 instances, IP addresses, security groups) and their interactions over time. Each entity is a node, and each interaction (e.g., an API call from a user to an instance) is an edge. The graph is temporal, meaning it tracks how relationships change over time.
Machine Learning and Statistical Baselines: Detective applies ML models to establish baselines of normal behavior for each entity. For example, it learns that a particular EC2 instance typically communicates with only a few known IP addresses on port 443. When deviations occur—like an instance suddenly connecting to an unknown IP on port 22—Detective flags it as anomalous.
Finding Correlation: When GuardDuty generates a finding (e.g., 'UnauthorizedAccess:EC2/SSHBruteForce'), Detective automatically correlates that finding with the relevant CloudTrail and VPC Flow Logs data to build a detailed timeline. It shows the resources involved, the IAM roles used, the source IPs, and the sequence of events leading up to and following the finding.
Visual Investigation Interface: Detective provides a web-based console where analysts can explore the behavior graph interactively. They can click on a finding to see a summary, then drill down into the associated entities and events. The interface includes a 'Scope' view that shows the context (e.g., all API calls made by a compromised IAM user in the last hour) and a 'Timeline' view that shows events chronologically.
Key Features and Configurations
Behavior Graph Versions (Tiers): Detective offers two behavior graph versions: the New behavior graph version (recommended) and the Original behavior graph version. The new version provides faster data ingestion and query performance, and supports longer data retention (up to 365 days). The original version has a maximum retention of 30 days. For CLF-C02, you need to know that Detective retains data for up to 365 days (new version) and that you can choose the retention period (between 1 and 365 days).
Data Retention: By default, Detective retains data for 365 days in the new behavior graph version. You can adjust this to a minimum of 1 day. The cost is based on the volume of data ingested and the retention period.
Pricing: Detective pricing is based on the amount of data ingested from CloudTrail, VPC Flow Logs, and GuardDuty findings. There are no upfront costs or minimum fees. You pay per GB of data ingested. For example, as of 2025, the price is approximately $2.00 per GB for CloudTrail management events, $0.50 per GB for VPC Flow Logs, and $0.25 per GB for GuardDuty findings (prices may vary by region).
Multi-Account Support: Detective supports multi-account environments via AWS Organizations. You can designate a management account to enable Detective across all member accounts. The behavior graph aggregates data from all accounts, providing a unified view.
Integration with AWS Security Hub: Detective integrates with Security Hub. Security Hub can forward findings to Detective for automatic investigation. Conversely, Detective findings can be sent to Security Hub for centralized visibility.
Automatic Data Source Detection: Detective automatically detects when new data sources (e.g., CloudTrail, VPC Flow Logs) are enabled in the account and begins ingesting them. However, if you disable a data source, Detective stops ingesting that data.
Comparison to On-Premises or Competing Approaches
Before Detective, security teams had to build their own correlation engines using tools like Splunk, ELK stack, or custom scripts. This involved:
Setting up log collection pipelines.
Writing complex queries to join logs from different sources.
Building dashboards to visualize relationships.
Manually investigating each alert.
Detective eliminates this heavy lifting by providing a managed service that does the correlation automatically. Compared to on-premises SIEM solutions, Detective is: - Fully managed: No servers to provision, patches to apply, or scaling to manage. - Pay-as-you-go: No upfront licensing costs. - Integrated with AWS: Seamlessly works with CloudTrail, VPC Flow Logs, and GuardDuty. - Graph-based: Provides visual investigation that is intuitive and fast.
However, Detective is not a full SIEM replacement. It focuses on investigation, not real-time alerting (that's GuardDuty's role) or long-term compliance archiving (that's CloudTrail or S3). It also does not ingest custom logs (e.g., application logs, OS logs) unless you send them via CloudTrail or VPC Flow Logs.
When to Use Detective vs Alternatives
Use Detective when: You need to investigate the root cause of a GuardDuty finding, you want to visually trace an attack path, or you need to understand the relationships between resources during an incident. It's ideal for incident response teams.
Use GuardDuty when: You need real-time threat detection and alerting. GuardDuty is the 'alarm bell'; Detective is the 'investigator'.
Use CloudTrail when: You need a raw log of all API calls for auditing or compliance. Detective uses CloudTrail data but adds correlation.
Use AWS Config when: You need to track resource configuration changes over time for compliance. Detective does not track configurations—it tracks events and network traffic.
Use Security Hub when: You need a central dashboard for all security alerts and compliance checks across multiple AWS services. Detective integrates with Security Hub but is not a replacement.
For the exam, remember that Detective is specifically for post-detection investigation—it helps answer 'What happened?' after a finding is generated. It is not a detection service itself (though it uses ML to identify anomalies within the data it ingests).
Enable Amazon Detective in a Region
To start using Detective, navigate to the Detective console in the AWS Management Console. Click 'Enable Detective' for the desired region. You must have the appropriate IAM permissions (e.g., detective:EnableDetective). Detective will then create a behavior graph for that region. Behind the scenes, Detective sets up the necessary infrastructure to ingest and process data. It does not require you to provision any resources; it runs on AWS-managed infrastructure. By default, Detective will begin ingesting CloudTrail management events (if CloudTrail is enabled) and any existing VPC Flow Logs and GuardDuty findings. If these data sources are not enabled, Detective will not create them—you must enable them separately. There is no upfront cost; you pay only for the data ingested.
Configure Data Sources and Retention
After enabling Detective, you can configure which data sources to ingest. In the Detective console, go to 'Settings' to see the status of CloudTrail, VPC Flow Logs, and GuardDuty. You can enable or disable ingestion for each source. You can also set the data retention period (1 to 365 days). The default is 365 days for the new behavior graph version. Shorter retention reduces cost but limits historical investigation. Detective will automatically start ingesting data from the enabled sources. Note that if you enable a new data source later (e.g., you enable VPC Flow Logs for a new VPC), Detective will automatically detect it and start ingesting within a few minutes. For multi-account setups, the management account can configure these settings for all member accounts.
Investigate a GuardDuty Finding
When GuardDuty generates a finding (e.g., 'Recon:EC2/Portscan'), Detective automatically correlates it with the relevant CloudTrail and VPC Flow Logs data. To investigate, open the Detective console and go to 'Findings'. You will see a list of findings from GuardDuty. Click on a finding to view its 'Summary' page. Here you see a description, severity, affected resources, and a visual 'Scope' graph showing the entities involved. You can click on any entity (e.g., an EC2 instance) to see its detailed profile, including all API calls made to/from it, network connections, and associated IAM roles. The 'Timeline' tab shows a chronological list of events related to the finding. This allows you to quickly understand the sequence of actions that led to the finding.
Explore the Behavior Graph
Beyond investigating specific findings, you can explore the behavior graph proactively. In the Detective console, go to 'Entities' to see all IAM users, roles, EC2 instances, and IP addresses that appear in your logs. You can search for a specific entity, such as an IAM user, and view its 'Profile'. The profile shows a summary of that entity's activity over time, including the number of API calls, distinct resources accessed, and anomalies detected. You can also view the entity's 'Resource history' to see a list of events involving that entity. The 'Neighbors' tab shows other entities that this entity has interacted with, forming a graph of relationships. This is useful for identifying lateral movement or unusual access patterns.
Use Detective with AWS Organizations
If you manage multiple AWS accounts via AWS Organizations, you can enable Detective across all accounts from the management account. In the Detective console, choose 'Enable Detective' for your organization. Detective will then create a single behavior graph that aggregates data from all member accounts. Each member account must grant consent (via a service-linked role) for the management account to access its logs. Once enabled, you can investigate findings across accounts from a single pane of glass. This is critical for large enterprises that need to correlate activity across accounts. For example, if an IAM user in Account A accesses an S3 bucket in Account B, Detective will show the cross-account relationship. Note that Detective does not require AWS Organizations to be enabled; you can also manually add accounts via invitations.
Scenario 1: Investigating a Compromised IAM Key
A company uses GuardDuty to monitor for threats. One day, GuardDuty generates a finding 'UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration' indicating that an IAM user's credentials are being used from an unusual IP address. The security team uses Detective to investigate. They open the finding in Detective and see a visual graph showing the IAM user, the EC2 instance that the credentials were used from, and the source IP address. The timeline shows that the user's access key was used to launch an EC2 instance in an unauthorized region, then used to call S3 APIs to exfiltrate data. Detective automatically correlates CloudTrail events (the API calls) with VPC Flow Logs (the network traffic from the instance). The team can see exactly which S3 buckets were accessed and the volume of data transferred. This allows them to quickly identify the scope of the breach, revoke the compromised keys, and lock down the affected resources. Without Detective, they would have to manually search CloudTrail logs for API calls from that user, then cross-reference with VPC Flow Logs—taking hours instead of minutes.
Scenario 2: Troubleshooting a Network Anomaly
A startup uses VPC Flow Logs to capture network traffic. They notice unusual outbound traffic from an EC2 instance to an unknown IP address on port 443. They suspect malware but are unsure. They enable Detective (if not already) and look at the behavior graph for that EC2 instance. Detective shows that the instance has been communicating with that IP address only in the last hour, and that the instance was launched using an AMI that is not approved. The timeline reveals that a developer with IAM privileges launched the instance using a personal AMI. Detective also shows that the instance made API calls to create a security group that allows outbound traffic to any IP. The team now has a complete picture: an unauthorized instance was launched, likely with malware, and is communicating with a command-and-control server. They can terminate the instance, revoke the developer's permissions, and investigate further. Detective's graph-based investigation made it easy to connect the dots between the network anomaly, the instance launch, and the IAM user.
What Goes Wrong When Misconfigured
A common mistake is not enabling CloudTrail or VPC Flow Logs before enabling Detective. Detective only ingests data from sources that are already enabled. If you enable Detective but have no CloudTrail trail, Detective will ingest nothing, and you will have an empty behavior graph. Another pitfall is setting too short a retention period (e.g., 1 day) for cost savings. If an incident is discovered days later, the relevant data may have been deleted, hindering investigation. Also, in multi-account setups, if member accounts do not grant consent, their data will not be included in the behavior graph, creating blind spots. Finally, some teams mistakenly think Detective provides real-time alerts—it does not. It is for post-detection investigation; real-time detection is handled by GuardDuty. Relying solely on Detective for detection will result in missed threats.
CLF-C02 Exam Focus on Amazon Detective
The CLF-C02 exam tests Amazon Detective under Domain 2: Security and Compliance, objective 2.3: 'Explain the security services and features of AWS.' While Detective is not a major topic (likely 1-2 questions), it appears in scenario-based questions where you must choose the correct service for a given task. Typically, the exam presents a scenario: 'A security team needs to investigate the root cause of a GuardDuty finding. Which service should they use?' The correct answer is Amazon Detective.
Common Wrong Answers and Why Candidates Choose Them
AWS GuardDuty – Candidates choose GuardDuty because it is the most well-known security service. However, GuardDuty is for detection, not investigation. The question asks for investigating the root cause of an existing finding, not detecting new threats. GuardDuty generates findings; Detective investigates them.
AWS CloudTrail – Candidates think CloudTrail logs API calls, so it can be used for investigation. While CloudTrail logs are a data source, CloudTrail itself does not correlate events or provide visual investigation. Detective uses CloudTrail data but adds analysis. The exam emphasizes that Detective is the service for automated investigation.
Amazon Macie – Macie is for data classification and protection of sensitive data in S3. Candidates confuse it because both involve security. But Macie does not investigate findings; it discovers sensitive data.
AWS Security Hub – Security Hub aggregates findings from multiple services and provides a dashboard. It can forward findings to Detective, but Security Hub itself does not perform the deep correlation and graph-based investigation that Detective does.
Specific Terms and Values That Appear on the Exam
Behavior graph – The core concept; Detective builds a 'behavior graph' of entity interactions.
Data sources: CloudTrail, VPC Flow Logs, GuardDuty findings.
Retention: Up to 365 days.
Multi-account: Supports AWS Organizations.
Integration: Works with GuardDuty and Security Hub.
Tricky Distinctions
Detective vs. GuardDuty: GuardDuty detects threats; Detective investigates them. A question might say: 'A company receives a GuardDuty finding and wants to understand the sequence of events. Which service?' Answer: Detective.
Detective vs. CloudTrail: CloudTrail provides raw logs; Detective provides correlated analysis. If the question says 'automatically correlate events,' pick Detective.
Detective vs. Config: Config tracks resource configurations; Detective tracks events and network traffic. If the question is about investigating API calls and network flows, pick Detective.
Decision Rule for Multiple Choice
When you see a question about investigating a security finding, identifying the root cause, or understanding the sequence of events, ask: 'Is this about detection or investigation?' If it's about investigation, the answer is likely Amazon Detective. If it's about detection, the answer is GuardDuty. If it's about compliance configuration, the answer is AWS Config. If it's about sensitive data discovery, the answer is Macie.
Amazon Detective is a security investigation service that automatically correlates CloudTrail, VPC Flow Logs, and GuardDuty data to build a behavior graph.
Detective is for post-detection investigation, not real-time threat detection (that's GuardDuty's role).
Data retention can be set from 1 to 365 days; default is 365 days in the new behavior graph version.
Detective supports multi-account environments via AWS Organizations for a unified behavior graph.
Pricing is based on the volume of data ingested per GB from each data source.
The exam tests Detective in scenario-based questions where you need to investigate a finding's root cause.
Common wrong answers for Detective questions include GuardDuty, CloudTrail, Macie, and Security Hub.
These come up on the exam all the time. Here's how to tell them apart.
Amazon Detective
Investigates existing findings; provides root cause analysis
Correlates CloudTrail, VPC Flow Logs, and GuardDuty data
Builds a behavior graph of entity relationships
Priced per GB of data ingested
Retains data up to 365 days
Amazon GuardDuty
Detects threats in real time using ML
Analyzes DNS, VPC Flow Logs, and CloudTrail for anomalies
Generates findings with severity levels
Priced per volume of log data analyzed
Retains findings for 90 days (default)
Amazon Detective
Automatically correlates events from multiple sources
Provides visual graph-based investigation
Ingests only CloudTrail, VPC Flow Logs, GuardDuty
Retains data up to 365 days
Cost based on data ingestion volume
AWS CloudTrail
Records raw API calls for auditing
Provides log files in JSON or text format
Can log management and data events
Retains logs in S3 indefinitely (with lifecycle policies)
Cost based on number of events recorded
Mistake
Amazon Detective is a real-time threat detection service like GuardDuty.
Correct
Detective is not a detection service. It is an investigation service that analyzes data after a finding (e.g., from GuardDuty) is generated. It helps you understand what happened, not detect new threats in real time.
Mistake
Detective can ingest any type of log, including application logs.
Correct
Detective only ingests data from three sources: AWS CloudTrail, VPC Flow Logs, and GuardDuty findings. It cannot ingest custom application logs or OS logs unless they are sent through one of these sources (e.g., via CloudTrail data events for S3).
Mistake
Detective automatically enables CloudTrail and VPC Flow Logs when you enable it.
Correct
Detective does not enable any data sources. It only ingests data from sources that are already enabled in your account. You must separately enable CloudTrail, VPC Flow Logs, and GuardDuty for Detective to have data to analyze.
Mistake
Detective stores data indefinitely for free.
Correct
Detective charges based on the volume of data ingested and the retention period. The default retention is 365 days, but you can set it as low as 1 day. Costs accrue per GB of data ingested from each source.
Mistake
Detective replaces the need for a SIEM solution.
Correct
Detective is not a full SIEM. It focuses on security investigation using AWS-native data sources. It does not provide real-time alerting, long-term archival, or support for non-AWS data. Many organizations use Detective alongside a SIEM for deeper analysis.
Amazon Detective ingests data from three AWS sources: AWS CloudTrail (management events and optionally data events), Amazon VPC Flow Logs, and Amazon GuardDuty findings. It does not ingest other log types like application logs or OS logs. To use Detective, these data sources must be enabled in your account; Detective does not enable them automatically.
GuardDuty is a threat detection service that uses machine learning to identify suspicious activity and generate findings in real time. Detective is an investigation service that takes those findings (and other data) and correlates them with CloudTrail and VPC Flow Logs to help you understand the root cause and sequence of events. In short: GuardDuty detects, Detective investigates. On the exam, if a question asks about 'investigating a finding,' the answer is Detective.
Yes, Detective supports multi-account environments. You can enable Detective for an organization in AWS Organizations, which creates a single behavior graph that aggregates data from all member accounts. Alternatively, you can manually invite individual accounts to contribute data. Each member account must grant consent via a service-linked role. This allows you to investigate cross-account activity from a central console.
A behavior graph is a data structure that represents entities (e.g., IAM users, EC2 instances, IP addresses) and their interactions over time. Detective builds this graph by ingesting CloudTrail, VPC Flow Logs, and GuardDuty data. Nodes are entities, and edges are interactions (e.g., API calls, network connections). The graph is temporal, meaning it tracks how relationships change. You can explore the graph visually in the Detective console to see connections and timelines.
Detective pricing is based on the volume of data ingested from each source. As of 2025, approximate prices are: $2.00 per GB for CloudTrail management events, $0.50 per GB for VPC Flow Logs, and $0.25 per GB for GuardDuty findings (prices vary by region). There are no upfront fees or minimum commitments. You also pay for data storage based on the retention period you set (1 to 365 days). You can estimate costs using the AWS Pricing Calculator.
No, Detective does not provide real-time alerts. It is designed for post-detection investigation. Real-time threat detection is provided by Amazon GuardDuty. Detective ingests GuardDuty findings after they are generated and then correlates them with other data to help you investigate. If you need real-time alerting, you should use GuardDuty in combination with Amazon EventBridge or Security Hub.
For the new behavior graph version (recommended), the default retention period is 365 days. You can change this to any value between 1 and 365 days. For the original behavior graph version, the maximum retention is 30 days. The exam may test that Detective retains data for up to 365 days. Shorter retention reduces costs but limits historical investigation capabilities.
You've just covered Amazon Detective — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?