This chapter covers Amazon Detective, a managed security investigation service that simplifies analyzing security events across AWS resources. On the SOA-C02 exam, Detective appears in Domain 4 (Security) under Objective 4.2: 'Troubleshoot and investigate security events using AWS services.' Expect 2-4 questions that test your understanding of Detective's data sources, integration with GuardDuty, and how to use its findings for root cause analysis. Mastering Detective is critical for the exam because it directly addresses how SysOps administrators investigate and respond to security incidents efficiently.
Jump to a section
Amazon Detective is like a fully equipped forensic lab that processes evidence from multiple sources to reconstruct a crime scene. Imagine a security incident in a large office building. The lab receives raw logs from access card readers (AWS CloudTrail), video feeds from cameras (VPC Flow Logs), and network traffic captures from routers (Amazon GuardDuty findings). Instead of a security analyst manually sifting through thousands of pages of access logs and hours of video footage, the lab uses automated tools to correlate events: it identifies that a specific ID badge was used at the front door at 2:03 AM, then the same badge appeared on a camera near the server room at 2:05 AM, and a network scan originated from that server at 2:10 AM. The lab creates a timeline, highlights the anomalous access pattern, and presents a report showing the sequence of events, the resources involved, and the likely root cause. The analyst can then drill into specific evidence—like the exact API call made from the compromised server—without needing to manually cross-reference different data sources. This is exactly what Amazon Detective does for AWS: it ingests and pre-processes logs from CloudTrail, VPC Flow Logs, and GuardDuty, builds a graph of resource interactions, and provides a visual investigation interface to trace security findings back to their origin.
What is Amazon Detective?
Amazon Detective is a fully managed security investigation service that automatically collects, processes, and analyzes log data from AWS resources to identify the root cause of security findings or suspicious activities. It ingests data from AWS CloudTrail (management and data events), VPC Flow Logs, and Amazon GuardDuty findings. Detective builds a linked set of data—called a behavior graph—that represents historical interactions and relationships among AWS resources. This graph enables security analysts to visualize and trace the sequence of events leading up to a security incident without needing to manually aggregate logs from multiple sources.
How Detective Works Internally
Detective operates by continuously ingesting and storing log data for a configurable retention period (default 365 days, up to 1095 days). The service processes this data to create a behavior graph that maps resource relationships—for example, which EC2 instance made API calls to which S3 bucket, or which IAM user assumed a role to launch an instance. Detective uses machine learning models to establish baselines of normal behavior for each resource. When a GuardDuty finding is generated (e.g., a finding of type 'UnauthorizedAccess:IAMUser/AnomalousBehavior'), Detective automatically correlates it with the relevant log data to produce a comprehensive finding summary. The summary includes a timeline of events, the involved entities (users, roles, IP addresses, resources), and the specific API calls or network connections associated with the finding.
Key Components and Defaults
Behavior Graph: The core data structure that stores resource interactions. Each AWS account can have one behavior graph per region. The graph is identified by a unique ARN.
Data Sources: Detective ingests from:
- AWS CloudTrail (management events and data events for S3 and Lambda) - VPC Flow Logs (from any VPC in the account) - Amazon GuardDuty findings - Retention Period: Configurable from 1 to 1095 days. Default is 365 days. Costs increase with longer retention. - Pricing: Based on data volume ingested (per GB) and retention duration. There is no upfront cost. - Integration: Detective integrates with AWS Organizations to enable multi-account investigations. The management account can enable Detective for all member accounts. - Findings: Detective findings are different from GuardDuty findings. Detective findings are generated only when Detective correlates a GuardDuty finding with its behavior graph. They provide a deeper investigation view.
Configuration Steps
To enable Detective: 1. Open the Amazon Detective console. 2. Choose 'Enable Detective' for the desired region. 3. Specify the data sources: CloudTrail (management and data events), VPC Flow Logs, and GuardDuty. 4. Optionally, configure retention period (default 365 days). 5. For multi-account, use AWS Organizations to delegate an administrator account.
Verification: After enabling, the behavior graph will start building. You can view the graph status in the Detective console under 'Behavior graphs'. It may take several hours to populate initial data.
Interaction with Related Technologies
GuardDuty: Detective is designed to enhance GuardDuty findings. When GuardDuty generates a finding, Detective automatically provides a detailed investigation view. For example, a GuardDuty finding of type 'Backdoor:EC2/C&CActivity.B' will be enriched with the exact API calls made from the compromised EC2 instance, the IP addresses it communicated with, and the IAM role used.
CloudTrail: Detective uses CloudTrail logs to track API activity. It can show the sequence of API calls leading to a resource modification, which is crucial for understanding the attack path.
VPC Flow Logs: Detective uses flow logs to map network traffic. This helps identify data exfiltration attempts or lateral movement within the VPC.
AWS Config: While not directly ingested, Detective can be used alongside Config to understand resource configuration changes that may have contributed to an incident.
Using Detective for Investigation
When a security incident occurs (e.g., a GuardDuty finding), a SysOps administrator can: 1. Open the Detective console and navigate to 'Findings'. 2. Select the specific GuardDuty finding. Detective will display a summary panel with: - Timeline: A chronological list of events before and after the finding. - Resources: The AWS resources involved (e.g., EC2 instance, IAM user, S3 bucket). - Indicators of Compromise (IoCs): IP addresses, user agents, and other artifacts. 3. Use the 'Entity graph' tab to visualize the relationships between resources. For example, you can see which IAM role was used to launch an instance, and what API calls that instance made. 4. Drill down into specific API calls by clicking on an event in the timeline. This shows the full CloudTrail event details. 5. Export the investigation data for reporting or further analysis.
Practical Example
Suppose GuardDuty generates a finding 'UnauthorizedAccess:IAMUser/MaliciousIPCaller'. Detective will show:
The IAM user that made the API call.
The source IP address (likely a known malicious IP).
The API calls made (e.g., 'DescribeInstances', 'CreateSnapshot').
The time of each call.
Any associated VPC Flow Logs showing network traffic from that IP to the instance.
CLI and API Operations
Detective can be managed via AWS CLI and SDK. Key commands:
- aws detective create-graph – Creates a new behavior graph.
- aws detective list-graphs – Lists all behavior graphs.
- aws detective start-monitoring-member – Enables monitoring for a member account.
- aws detective get-members – Lists member accounts.
Example CLI to list graphs:
aws detective list-graphs --region us-east-1Limitations
Detective does not support on-premises resources.
Data ingestion may take up to 15 minutes for CloudTrail and VPC Flow Logs.
Behavior graphs are regional; cross-region investigation requires separate graphs.
Detective is not a real-time alerting tool; it is for post-incident investigation.
Exam Relevance
On the SOA-C02 exam, you should know:
Detective's primary purpose is to simplify security investigation, not to replace GuardDuty.
Detective ingests from CloudTrail, VPC Flow Logs, and GuardDuty findings.
It builds a behavior graph that correlates resource interactions.
It is used for root cause analysis of GuardDuty findings.
Multi-account support via AWS Organizations.
Default retention is 365 days.
Detective is a regional service.
Enable Amazon Detective
In the AWS Management Console, navigate to Amazon Detective and choose 'Enable Detective'. You must have the necessary IAM permissions (detective:CreateGraph, detective:EnableOrganizationAdminAccount for multi-account). The service will create a behavior graph in the region. This step initiates data ingestion from CloudTrail, VPC Flow Logs, and GuardDuty. If you have an existing GuardDuty detector, Detective will automatically start associating findings. The initial data population may take several hours.
Configure Data Sources
Detective requires that CloudTrail is enabled (management events and optionally data events), VPC Flow Logs are enabled for VPCs you want to monitor, and GuardDuty is enabled. If any of these are missing, Detective will prompt you to enable them. For CloudTrail, ensure the trail is logging to a bucket in the same region. For VPC Flow Logs, they must be published to CloudWatch Logs. Detective will then start ingesting the log data. You can verify data ingestion status in the Detective console under 'Data sources'.
Review GuardDuty Findings
When GuardDuty generates a finding, Detective automatically correlates it with its behavior graph. In the Detective console, navigate to 'Findings' and select the GuardDuty finding. Detective will display a detailed view including a timeline of events, involved resources, and indicators of compromise. This step is where you start the investigation. The timeline shows events up to 72 hours before and after the finding time.
Analyze the Entity Graph
In the finding details, click on the 'Entity graph' tab. This visualizes the relationships between the resources involved. For example, you can see the IAM user, the EC2 instance, and the S3 bucket as nodes, with edges representing API calls, network connections, or role assumptions. You can click on any node to see its detailed history. This helps identify the attack path—for instance, how an attacker moved from an IAM user to an EC2 instance to exfiltrate data.
Drill Down into Specific Events
From the timeline or entity graph, you can click on individual events to see the full CloudTrail event details. This includes the API call name, source IP, user agent, request parameters, and response elements. For VPC Flow Logs, you can see the source and destination IPs, ports, and protocols. This granular view allows you to confirm whether the activity was malicious or a false positive. You can also export the event data for further analysis.
Enterprise Scenario 1: Compromised IAM Credentials
A large e-commerce company uses GuardDuty to detect anomalous API calls. One day, GuardDuty generates a finding 'UnauthorizedAccess:IAMUser/AnomalousBehavior' for an IAM user that normally only reads from an S3 bucket. The SysOps team uses Detective to investigate. Detective shows that the user made a series of 'DescribeInstances' and 'CreateSnapshot' API calls from an IP address in a foreign country. The entity graph reveals that the user assumed a role that had permissions to create snapshots, and the snapshots were shared with an external AWS account. The team immediately revokes the user's credentials, rotates the keys, and deletes the shared snapshots. Detective's timeline helped them identify the exact sequence of events within minutes, whereas manually searching CloudTrail logs would have taken hours.
Scenario 2: EC2 Instance Compromise
A financial services firm uses GuardDuty to detect C&C activity. GuardDuty finds a 'Backdoor:EC2/C&CActivity.B' on an EC2 instance. The SysOps team uses Detective to investigate. Detective shows that the instance was launched using a specific AMI, and shortly after launch, it began communicating with a known malicious IP. The timeline reveals that the instance was launched by an IAM user who had just been granted admin privileges. Detective also shows VPC Flow Logs indicating data exfiltration to an external IP on port 443. The team isolates the instance, terminates it, and reviews the IAM permissions. Detective's entity graph helped them trace the attack back to the IAM user that launched the instance, leading to a broader review of IAM policies.
Common Misconfigurations
One common mistake is not enabling VPC Flow Logs for all VPCs. Without flow logs, Detective cannot provide network-level insights. Another mistake is setting the retention period too short (e.g., 30 days) for compliance requirements. In production, a retention of at least 365 days is recommended for security investigations. Also, forgetting to enable Detective in all regions where you have resources can leave blind spots. Finally, not integrating with AWS Organizations for multi-account environments leads to fragmented investigations.
Exam Objective Coverage
Amazon Detective falls under SOA-C02 Domain 4: Security, Objective 4.2: 'Troubleshoot and investigate security events using AWS services.' Specifically, the exam tests:
Understanding of Detective's data sources (CloudTrail, VPC Flow Logs, GuardDuty).
How Detective helps in root cause analysis of GuardDuty findings.
The concept of the behavior graph and its purpose.
Multi-account setup using AWS Organizations.
Retention period defaults and configuration.
Common Wrong Answers
'Detective is a real-time alerting tool': Many candidates confuse Detective with GuardDuty. Detective is for post-incident investigation, not real-time alerts. GuardDuty generates real-time findings; Detective enriches them.
'Detective replaces CloudTrail': Detective uses CloudTrail logs but does not replace it. CloudTrail is still needed for compliance and raw log access.
'Detective works across regions automatically': Detective is regional. Each region has its own behavior graph. Cross-region investigation requires switching regions or using multiple graphs.
'Detective can ingest on-premises logs': Detective only works with AWS-native sources. It cannot ingest on-premises logs.
Specific Numbers and Terms
Default retention: 365 days.
Maximum retention: 1095 days.
Data sources: CloudTrail (management and data events), VPC Flow Logs, GuardDuty findings.
Multi-account: Uses AWS Organizations delegated administrator.
The behavior graph is the core data structure.
Edge Cases
If CloudTrail is disabled, Detective cannot ingest management events. The service will still work but with limited data.
If VPC Flow Logs are not enabled, Detective cannot show network traffic. This is a common exam scenario where the candidate must identify missing data sources.
Detective pricing is based on data volume and retention; longer retention costs more.
How to Eliminate Wrong Answers
Focus on Detective's role as an investigation tool, not an alerting tool. If a question asks about 'real-time detection', the answer is GuardDuty, not Detective. If a question asks about 'root cause analysis of a GuardDuty finding', the answer is Detective. Also, remember that Detective is regional—if the answer suggests cross-region automatic correlation, it is wrong.
Amazon Detective is a managed investigation service that simplifies root cause analysis of security events.
Detective ingests data from AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty findings.
The behavior graph is the core data structure that maps resource interactions.
Default retention period for behavior graph data is 365 days, configurable up to 1095 days.
Detective is a regional service; you must enable it in each region separately.
Multi-account support requires AWS Organizations with a delegated administrator account.
Detective is not a real-time alerting tool; it is used for post-incident investigation of GuardDuty findings.
Detective does not replace CloudTrail, VPC Flow Logs, or GuardDuty; it enhances them.
These come up on the exam all the time. Here's how to tell them apart.
Amazon Detective
Purpose: Post-incident investigation and root cause analysis.
Data sources: CloudTrail, VPC Flow Logs, GuardDuty findings.
Output: Behavior graph, timeline, entity relationships.
Alerting: No real-time alerts; it enriches existing findings.
Use case: Investigate a GuardDuty finding in depth.
Amazon GuardDuty
Purpose: Real-time threat detection.
Data sources: AWS CloudTrail, VPC Flow Logs, DNS logs, etc.
Output: Findings with severity, type, and resource involved.
Alerting: Real-time alerts via CloudWatch Events or SNS.
Use case: Detect malicious activity as it happens.
Mistake
Amazon Detective is a real-time security monitoring tool.
Correct
Detective is not real-time; it is for post-incident investigation. It ingests logs and builds a behavior graph with some delay (up to 15 minutes). Real-time monitoring is handled by GuardDuty and other services.
Mistake
Detective can replace AWS CloudTrail.
Correct
Detective uses CloudTrail logs but does not replace it. CloudTrail is still required for compliance, raw log access, and as a data source for Detective. Detective provides a higher-level analysis, not raw log storage.
Mistake
Detective automatically works across all AWS regions.
Correct
Detective is a regional service. Each region has its own behavior graph. You must enable Detective in each region separately. Cross-region investigation requires manual switching between regions.
Mistake
Detective can analyze on-premises logs.
Correct
Detective only ingests AWS-native log sources: CloudTrail, VPC Flow Logs, and GuardDuty findings. It cannot ingest on-premises logs or logs from non-AWS sources.
Mistake
Detective provides a timeline of events for any API call.
Correct
Detective provides timelines primarily for events related to GuardDuty findings or when you manually investigate a resource. It does not provide a timeline for every API call; it focuses on security-relevant events.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and generates real-time findings. Amazon Detective is an investigation service that helps you analyze those findings by providing a detailed view of the events leading up to and after the finding. In short, GuardDuty detects, Detective investigates. On the SOA-C02 exam, remember that Detective is for root cause analysis, not for detection.
Amazon Detective ingests three data sources: AWS CloudTrail (management events and data events for S3 and Lambda), VPC Flow Logs, and Amazon GuardDuty findings. It does not ingest AWS Config, CloudWatch Logs, or on-premises logs. For the exam, know that all three must be enabled for Detective to provide full investigation capabilities.
Detective supports multi-account environments via AWS Organizations. You designate a delegated administrator account that can enable Detective for the entire organization. Member accounts do not need to individually enable Detective. The delegated admin can view findings and behavior graphs for all accounts. This is a common exam scenario.
The default retention period is 365 days. You can configure it between 1 and 1095 days. Retention affects cost. The exam may ask about the default value, so remember 365 days.
Yes, Detective can be enabled without GuardDuty, but its primary value is in investigating GuardDuty findings. Without GuardDuty, you can still use Detective to manually explore the behavior graph and analyze resource interactions, but you lose the automatic correlation of findings. For the exam, Detective is often paired with GuardDuty.
Amazon Detective is a regional service. Each AWS region has its own behavior graph. You must enable Detective in each region where you want to investigate. It does not automatically aggregate data across regions. This is an important distinction for the exam.
When GuardDuty detects a finding on an EC2 instance (e.g., 'Backdoor:EC2/C&CActivity.B'), Detective provides a timeline showing API calls made by or to the instance, network connections from VPC Flow Logs, and the IAM role used. You can see the exact commands executed and the IP addresses involved, helping you identify the attack vector and scope of compromise.
You've just covered Amazon Detective for Investigation — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?