This chapter covers Amazon Detective, a security investigation service that helps you analyze and identify the root cause of security incidents. For the SAA-C03 exam, Detective is a relatively minor but distinct topic, appearing in roughly 2-5% of questions, often as part of a larger security scenario. Understanding Detective’s purpose, how it differs from GuardDuty and Security Hub, and when to use it is critical for answering security-related questions correctly.
Jump to a section
Imagine a company with a large office building that has security cameras everywhere. Normally, the cameras just record video, but nobody watches them unless an incident occurs. When something suspicious happens (e.g., a theft), the security team reviews the footage from the relevant cameras and time period to understand what happened. Amazon Detective works similarly: it continuously collects and stores logs from AWS services (like VPC Flow Logs, CloudTrail, and GuardDuty findings) but doesn’t actively alert. Instead, when a security incident is detected (e.g., by GuardDuty), you can use Detective to investigate by looking at the stored data for that specific time and resources. Detective automatically generates visualizations and graphs showing resource interactions, IP traffic, and API calls, much like a security system that can zoom in on specific camera feeds and show a timeline of events. Without Detective, you would have to manually query logs across multiple services, which is like watching hours of raw video footage to find a few seconds of relevant action. Detective pre-processes and correlates the data, making investigation fast and efficient.
What is Amazon Detective?
Amazon Detective is a managed security investigation service that automatically collects, processes, and analyzes log data from AWS resources to help you identify the root cause of security findings or suspicious activities. It ingests data from three primary sources: AWS CloudTrail logs, VPC Flow Logs, and Amazon GuardDuty findings. Detective then uses machine learning, statistical analysis, and graph theory to create a unified view of resource interactions, allowing you to visualize and trace the sequence of events leading up to a security incident.
Unlike GuardDuty (which generates alerts on potential threats) or Security Hub (which aggregates findings from multiple services), Detective focuses on post-detection investigation. It does not generate alerts itself; rather, it provides a detailed forensic analysis environment. When you have a GuardDuty finding or a suspicious API call, you can use Detective to drill down into the relevant data: which resources were involved, what network connections were made, which IAM users or roles were used, and what API calls were executed.
How Detective Works
Detective runs in your AWS account and is enabled per region. Once enabled, it begins ingesting data from the configured sources. The service stores data for up to one year (default retention) and creates a graph of relationships between resources (e.g., EC2 instances, IAM users, S3 buckets). The graph is built using the following process:
Data Ingestion: Detective pulls CloudTrail management events, VPC Flow Logs (only from VPCs that are enabled for flow logs at the account level, not individual flow logs), and GuardDuty findings. You must have these services enabled; Detective does not enable them for you.
Data Processing: Detective normalizes and enriches the data. For example, it extracts source and destination IPs, timestamps, user agents, and resource ARNs. It also calculates baseline behavior using machine learning to identify anomalies.
Graph Construction: Detective builds a graph where nodes represent AWS resources (e.g., EC2 instances, IAM roles) and edges represent interactions (e.g., network connections, API calls). The graph is temporal, showing how interactions change over time.
Investigation Interface: When you open a finding or a specific time range, Detective presents a visual graph of the involved resources, a timeline of events, and a list of related findings. You can click on any node to see detailed information, such as all API calls made by an IAM user or all network connections from an EC2 instance.
Key Components and Defaults
Data Sources: Detective requires at least one data source to be enabled. You can choose from CloudTrail (management events), VPC Flow Logs, and GuardDuty findings. You must have the corresponding service enabled in your account. Detective does not ingest CloudTrail data events (S3 object-level or Lambda function calls) by default; you must specifically configure CloudTrail to log those and then enable Detective to use that trail.
Retention: Detective retains all data for one year. You cannot change this retention period. Data older than one year is automatically deleted.
Cost: Detective charges based on the volume of data ingested from CloudTrail, VPC Flow Logs, and GuardDuty findings. There is no upfront cost. Pricing is per GB of data ingested, with a per-account monthly cap. For example, as of 2025, the first 1 GB per account per month is free, then $2.00 per GB for CloudTrail data, $0.50 per GB for VPC Flow Logs, and $1.00 per GB for GuardDuty findings. These prices vary by region and may change.
Behavioral Graphs: Detective creates a separate behavioral graph for each region where it is enabled. You can enable Detective in multiple regions; each region has its own graph. You cannot merge graphs across regions.
Permissions: To use Detective, you need IAM permissions to enable and manage the service. The AmazonDetectiveFullAccess managed policy provides full access. For reading data, AmazonDetectiveReadOnlyAccess is sufficient.
Configuration and Verification
To enable Detective: 1. Open the Detective console. 2. Click "Enable Detective" and confirm the region. 3. Optionally, configure data sources (e.g., specify which CloudTrail trail to use). 4. Click "Enable Detective".
To verify Detective is working:
- Check the Detective dashboard for data volume graphs.
- Use the Detective API ListGraphs to see active graphs:
aws detective list-graphs --region us-east-1Run a test by generating a GuardDuty finding (e.g., a suspicious API call) and then opening the finding in Detective to see the investigation page.
Integration with Related Services
GuardDuty: Detective is often used in conjunction with GuardDuty. When GuardDuty generates a finding, you can click "Investigate with Detective" in the GuardDuty console to open the Detective investigation page for that finding.
Security Hub: Security Hub can ingest findings from GuardDuty and then forward them to Detective for investigation. However, Security Hub does not directly integrate with Detective; the integration is through GuardDuty.
CloudTrail: Detective ingests CloudTrail management events. It can also ingest data events if you configure a separate trail and point Detective to it.
VPC Flow Logs: Detective ingests VPC Flow Logs at the account level. You must have VPC Flow Logs enabled for the VPCs you want to monitor. Detective does not create flow logs; it only ingests existing ones.
Limitations and Considerations
Detective is not a real-time service. There is a delay of several minutes (typically 5-15 minutes) between an event occurring and it appearing in Detective.
Detective does not support cross-region graphs. You must investigate in each region separately.
Detective does not provide alerting. It is purely for investigation after an alert is generated by another service.
Detective cannot be used to block or remediate threats; it only provides visibility.
Data retention is fixed at one year; you cannot extend it.
Exam Tips
Remember that Detective is for investigation, not detection. GuardDuty detects, Detective investigates.
Detective requires other services to be enabled first: CloudTrail, VPC Flow Logs, and/or GuardDuty. It does not enable them.
Detective ingests CloudTrail management events by default. To ingest data events, you must configure a separate trail and point Detective to it.
Detective retains data for one year – this is a common exam fact.
Detective creates a behavioral graph per region.
Detective is often the correct answer when a question asks for root cause analysis of a security finding.
Enable Detective in a Region
First, you must enable Detective in the AWS Management Console or via API. This creates a behavioral graph for that region. The service starts ingesting data from the data sources you have already enabled (CloudTrail, VPC Flow Logs, GuardDuty). If you have not enabled these sources, Detective will ingest nothing. During enablement, you can choose which CloudTrail trail to use (if multiple exist) and whether to include VPC Flow Logs. Detective does not automatically enable any source; you must have them running.
Ingest Data from Sources
Once enabled, Detective begins pulling data from CloudTrail (management events), VPC Flow Logs (from all VPCs with flow logs enabled at account level), and GuardDuty findings. The data is ingested continuously. Detective processes this data to normalize timestamps, extract IP addresses, identify resource ARNs, and build a relationship graph. The ingestion delay is typically 5-15 minutes. For example, a CloudTrail event will appear in Detective about 10 minutes after it occurs.
Build Behavioral Graph
Detective uses the ingested data to construct a graph of resource interactions. Nodes represent resources like EC2 instances, IAM users, or S3 buckets. Edges represent connections such as network flows or API calls. The graph is temporal, meaning it shows how interactions change over time. Detective also uses machine learning to establish baselines of normal behavior. For instance, if an EC2 instance typically connects to a few IPs, a sudden spike in connections to many different IPs would be flagged as an anomaly.
Investigate a Finding or Event
When a security finding (e.g., from GuardDuty) occurs, you open the Detective investigation page. You can also initiate an investigation by specifying a time range and resources. Detective displays a visual graph of the involved resources, a timeline of events, and a list of related findings. You can click on any node to see details: for an IAM user, you see all API calls made; for an EC2 instance, you see all network connections. This allows you to trace the sequence of events leading to the incident.
Analyze and Remediate
Using the information from Detective, you identify the root cause. For example, you might discover that an IAM user's credentials were used from an unusual IP address to launch unauthorized EC2 instances. With this insight, you can take remediation actions: rotate the compromised credentials, apply restrictive IAM policies, or terminate the unauthorized instances. Detective does not perform remediation itself; it only provides the data for you to act.
Enterprise Scenario 1: Compromised IAM Credentials
A large e-commerce company uses GuardDuty to detect suspicious API calls. One day, GuardDuty alerts on an API call from an unfamiliar IP address using an IAM user that normally only operates from the corporate office. The security team opens the finding in Detective. Detective shows a graph: the IAM user node connected to the unfamiliar IP node, with edges representing the API calls (e.g., DescribeInstances, RunInstances). The timeline reveals that the calls started 30 minutes ago. Clicking on the IAM user node shows all recent API calls, including some to launch EC2 instances in a different region. The team then uses Detective to see the network connections from those new instances, finding they are communicating with known malicious IPs. The team revokes the IAM user's access keys, terminates the EC2 instances, and implements a policy to require MFA for API calls. Without Detective, they would have to manually correlate CloudTrail logs, VPC Flow Logs, and GuardDuty findings across multiple consoles, taking hours instead of minutes.
Enterprise Scenario 2: Data Exfiltration via S3
A financial services firm suspects data exfiltration from an S3 bucket. They have GuardDuty enabled, which generates a finding for an unusual S3 API call from an EC2 instance. Using Detective, they investigate the EC2 instance node. The graph shows the instance made a series of GetObject calls to a specific S3 bucket, then established network connections to an external IP address. Detective shows the volume of data transferred (based on VPC Flow Logs) and the exact timestamps. The team identifies that the EC2 instance had an IAM role with excessive S3 permissions. They then restrict the role, block the external IP via security groups, and enable S3 access logging for future monitoring. Detective's ability to correlate network flows with API calls was crucial in identifying the exfiltration path.
Performance and Misconfiguration Issues
Data Source Not Enabled: A common mistake is enabling Detective but forgetting to enable CloudTrail or VPC Flow Logs. Detective will appear active but will have no data. Always verify that the required services are enabled and logging.
Cross-Region Investigations: Detective graphs are region-specific. If an incident spans multiple regions (e.g., an EC2 instance in us-east-1 makes API calls to resources in eu-west-1), you must investigate in each region separately. There is no unified view.
Cost Overruns: Detective can become expensive if you have high-volume VPC Flow Logs or CloudTrail logs. Monitor costs using AWS Cost Explorer. Consider enabling Detective only in critical regions or for specific accounts.
What the SAA-C03 Tests
Amazon Detective falls under Domain 1: Secure Architectures (Objective 1.4 – Identify appropriate security services). On the exam, you will see questions that ask you to select the best service for a given security scenario. Detective is typically the correct answer when the scenario involves investigating the root cause of a security finding. Key objective codes: 1.4 (Secure Architectures) and 1.5 (Secure Application Design).
Common Wrong Answers and Why
Amazon GuardDuty: Candidates often choose GuardDuty because it detects threats. But the question asks for *investigation* or *root cause analysis*. GuardDuty detects; Detective investigates. If the question says "determine the root cause" or "investigate", Detective is correct.
AWS Security Hub: Security Hub aggregates findings from multiple services and provides a compliance dashboard. It does not provide the deep forensic analysis that Detective does. If the question mentions "visualize resource interactions" or "graph of events", Detective is the answer.
AWS CloudTrail: CloudTrail provides raw API logs but does not correlate them with network flows or provide visualizations. Detective automates the correlation. If the question says "automatically correlate" or "reduce manual effort", Detective is correct.
Specific Numbers and Terms
Detective retains data for one year (365 days).
Detective ingests CloudTrail management events by default.
Detective creates a behavioral graph per region.
Detective requires GuardDuty, CloudTrail, and VPC Flow Logs to be enabled (at least one).
Detective is not real-time; there is a delay of 5-15 minutes.
Edge Cases and Exceptions
Detective can ingest CloudTrail data events if you configure a separate trail and point Detective to it. This is a less common configuration but may appear on the exam.
Detective does not ingest AWS Config data, CloudWatch Logs, or Application Load Balancer logs. If the question mentions these, Detective is likely not the answer.
Detective is region-specific. If an incident involves multiple regions, you need to investigate in each region.
How to Eliminate Wrong Answers
If the question asks for real-time alerting, eliminate Detective (it is not real-time).
If the question asks for automated remediation, eliminate Detective (it only provides information).
If the question asks for compliance reporting, eliminate Detective (use Security Hub or Config).
If the question asks for threat detection, eliminate Detective (use GuardDuty).
Amazon Detective is a post-incident investigation service for root cause analysis, not a threat detection service.
Detective ingests data from CloudTrail (management events by default), VPC Flow Logs, and GuardDuty findings.
Detective retains all ingested data for exactly one year (365 days) – this is a fixed retention period.
Detective creates a separate behavioral graph per region; cross-region investigation requires switching regions.
Detective has a 5-15 minute ingestion delay; it is not real-time.
Detective does not enable any data sources; you must have CloudTrail, VPC Flow Logs, and/or GuardDuty enabled first.
Detective is often the correct answer when the question asks to 'investigate' or 'determine the root cause' of a security finding.
Common wrong answers on the exam: GuardDuty (detects, not investigates) and Security Hub (aggregates, not investigates).
Detective can ingest CloudTrail data events if configured, but management events are the default.
Detective integrates with GuardDuty via the 'Investigate with Detective' button in the GuardDuty console.
These come up on the exam all the time. Here's how to tell them apart.
Amazon Detective
Purpose: Investigate root cause of security incidents
Data sources: CloudTrail, VPC Flow Logs, GuardDuty findings
Output: Visual graphs and timelines of resource interactions
No alerting; used after a finding is generated
Retains data for one year
Amazon GuardDuty
Purpose: Detect security threats in real time
Data sources: VPC Flow Logs, CloudTrail, DNS logs, etc.
Output: Findings/alerts with severity and threat details
Generates alerts that can trigger Detective investigation
Retains findings for up to 90 days (default)
Amazon Detective
Focus: Forensic investigation and root cause analysis
Data sources: CloudTrail, VPC Flow Logs, GuardDuty
Provides a graph of resource relationships
No compliance checks or standards
Not a central aggregator of findings
AWS Security Hub
Focus: Centralized security findings and compliance
Data sources: Aggregates from GuardDuty, Inspector, Macie, etc.
Provides a dashboard of findings and compliance scores
Runs compliance checks against standards (e.g., CIS, PCI DSS)
Central hub for all security findings across accounts
Mistake
Amazon Detective can detect security threats in real time.
Correct
Detective does not detect threats; it is an investigation tool for post-incident analysis. It has a 5-15 minute ingestion delay. Threat detection is done by GuardDuty.
Mistake
Detective automatically enables CloudTrail and VPC Flow Logs.
Correct
Detective does not enable any data sources. You must have CloudTrail, VPC Flow Logs, and/or GuardDuty already enabled in your account before Detective can ingest data.
Mistake
Detective retains data indefinitely.
Correct
Detective retains data for a maximum of one year (365 days). After that, data is automatically deleted. This retention period is fixed and cannot be changed.
Mistake
Detective provides a single global graph for all AWS regions.
Correct
Detective creates a separate behavioral graph for each region where it is enabled. You cannot view a cross-region graph; you must investigate each region independently.
Mistake
Detective can be used to block malicious traffic or remediate issues automatically.
Correct
Detective is a read-only investigation tool. It does not have any capabilities to block, terminate, or modify resources. Remediation must be done manually or through other services like AWS Lambda or Systems Manager.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and generates findings/alerts. Amazon Detective is an investigation service that helps you analyze the root cause of those findings by providing visualizations and correlating data from CloudTrail, VPC Flow Logs, and GuardDuty itself. In short: GuardDuty detects, Detective investigates. On the exam, if the scenario involves 'determine the root cause' or 'investigate', choose Detective. If it involves 'detect threats in real time', choose GuardDuty.
Yes, Detective requires at least one of the following data sources to be enabled in your account: AWS CloudTrail (management events), VPC Flow Logs, or Amazon GuardDuty. Detective does not enable these services for you; you must enable them separately. Without these sources, Detective will have no data to analyze. For the exam, remember that Detective is a consumer of data, not a producer.
Amazon Detective retains all ingested data for one year (365 days). After that, the data is automatically deleted. This retention period is fixed and cannot be changed. This is a common exam fact: Detective retains data for one year. Compare this to GuardDuty, which retains findings for 90 days by default (configurable up to 1 year in some regions).
Amazon Detective creates a separate behavioral graph for each region where it is enabled. You cannot view a single graph that spans multiple regions. To investigate an incident that involves resources in multiple regions, you must switch to each region's Detective console and investigate separately. This is an important limitation to remember for the exam.
No, Amazon Detective is not real-time. There is a delay of approximately 5-15 minutes between an event occurring and it appearing in Detective. This is due to the time required to ingest, process, and correlate data from multiple sources. Therefore, Detective is suitable for post-incident analysis, not for real-time alerting or response.
By default, Detective ingests CloudTrail management events only. However, you can configure Detective to also ingest data events (e.g., S3 object-level operations, Lambda function invocations) by specifying a CloudTrail trail that logs those data events. This is an optional configuration. On the exam, remember that management events are the default; data events require additional setup.
No, Amazon Detective is a read-only investigation tool. It does not have any capabilities to automatically remediate or block threats. Its purpose is to provide you with the information needed to understand what happened. Remediation actions must be taken manually or through other AWS services such as AWS Lambda, AWS Systems Manager, or IAM policies.
You've just covered Amazon Detective — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?