Amazon Detective

A security investigation service — not a detection engine. Detective doesn't generate new alerts about bad behavior; it takes alerts already raised elsewhere (mainly GuardDuty) and builds the deep, graph-based context an analyst needs to find root cause, fast. If GuardDuty says "something happened," Detective answers "what else happened around it, and why."

Detective — investigation/forensics Governance — org-wide enablement only

1 year

Historical data retained

30 days

Free trial

45 days

Window for informational/evidence findings

GenAI

Finding group summaries via Bedrock

How Detective Actually Works

The Core Mechanism — A Behavior Graph, Not a Log Search Tool

Behavior graph construction — Detective automatically and continuously ingests trillions of events from CloudTrail, VPC Flow Logs, and EKS audit logs, then uses machine learning, statistical analysis, and graph theory to build a graph database of relationships between entities: IAM users/roles, EC2 instances, IP addresses, S3 buckets, and more.
GuardDuty findings are the default, mandatory data source — they're part of Detective's core package and are ingested automatically. Other AWS security findings (aggregated through Security Hub, including Inspector vulnerability findings) are an optional data source you opt into for richer correlation.
Finding groups — rather than making you investigate dozens of individual GuardDuty/Inspector findings in isolation, Detective applies graph analysis to infer relationships between findings and entities and clusters them into a single finding group representing one likely security incident. A finding group's severity equals the highest-severity individual finding inside it.
Finding group visualization — an interactive graph showing entities and findings together, letting an analyst visually trace relationships, rearrange nodes, and drill into specific entities or findings for more detail.
Finding group summary (generative AI) — by default, Detective uses a Bedrock-hosted model to automatically generate a natural-language summary of the top findings and threat events in a finding group, dramatically speeding up initial triage. This is on by default and free; it can be opted out of at the user or IAM-role level. As of February 2026, this feature can use cross-region inference to pick the optimal regional endpoint for processing.
Entity profile pages — for IAM roles/users, EC2 instances, and IP addresses, Detective surfaces historical behavior over time, so an analyst can see whether a given action was actually unusual for that entity, not just unusual in the abstract.

⚠️ The Recurring Exam Theme

Detective questions almost always test one of three things: (1) do you know Detective does not generate new threat findings itself — it investigates findings that came from elsewhere, (2) can you correctly position Detective relative to GuardDuty (alerts) and Security Hub (aggregation/scoring) in an incident response workflow, and (3) do you understand that GuardDuty is the mandatory default data source while other findings are opt-in.

Exam Domain Mapping

Domain	Where Detective Shows Up
Threat Detection & Incident Response	Root-cause investigation workflows, finding groups, the "what do you do AFTER GuardDuty alerts" question
Security Logging & Monitoring	Behavior graph data sources (CloudTrail, VPC Flow Logs, EKS audit logs), historical retention
Management & Security Governance	Organizations-wide enablement, delegated administrator, cross-account behavior graphs

Decision Tree — Mental Model

Threat

A GuardDuty (or Inspector, via Security Hub) finding has fired, but the analyst needs to understand the broader context: what else did this IAM role do, has this IP been seen before, what is the full scope of the incident

↓

Security Goal

Investigate root cause efficiently using automatically correlated historical context, instead of manually querying raw CloudTrail/Flow Logs

↓

AWS Service

Amazon Detective

Behavior graph (CloudTrail + VPC Flow Logs + EKS audit logs) GuardDuty findings (default, mandatory) Security Hub / Inspector findings (optional) Finding groups + visualization GenAI summaries

↓

Implementation

Enable via Organizations delegated administrator. Opt into additional data sources for richer correlation. Pivot directly from a GuardDuty finding via "Investigate."

↓

Monitoring

Analyst reviews finding groups (not individual findings) as the starting point, uses entity profile pages for historical baselining, reads GenAI summaries for fast triage.

↓

Remediation

Detective itself takes no remediation action — findings/conclusions from an investigation drive a separate response (EventBridge/Lambda, IAM credential revocation, SCP isolation).

Final Summary

Must Memorize

Detective investigates findings — it does NOT generate new threat findings itself
GuardDuty findings are the default/mandatory data source; Security Hub-aggregated findings (incl. Inspector) are optional
Finding groups cluster related findings; severity = highest finding in the group
Up to 1 year of historical behavior graph data

Must Understand

Why graph analysis (entities + relationships) beats manually querying raw logs for root-cause work
The GenAI finding group summary as a triage accelerator, not a replacement for analyst judgment
The distinction triangle: Detective (investigate) vs GuardDuty (alert) vs Security Hub (aggregate/score)

Can De-prioritize

Exact dollar pricing per GB ingested
Console UI navigation specifics
Precise visualization layout options

Exam appearance probability: MEDIUM

Investigation Mechanics & Capabilities

Detective's value is structural — it organizes already-existing security signal into something investigable, rather than producing new signal.

2.1 Behavior Graph High exam relevance

Data sourcesCloudTrail, VPC Flow Logs, EKS audit logs — ingested automatically and continuously

TechniqueMachine learning + statistical analysis + graph theory to infer relationships between entities

RetentionUp to 1 year of historical event data

The graph links IAM users/roles, EC2 instances, IP addresses, and other entities — letting you trace "what did this role do across its entire history," not just at the moment of a single finding.

2.2 Finding Ingestion — Mandatory vs Optional Frequently misunderstood

GuardDuty findingsPart of the Detective core package — ingested by default, no opt-in required

Other AWS security findingsAggregated via Security Hub (this includes Amazon Inspector findings) — an OPTIONAL data source you must opt into

Exam trap: assuming Detective automatically has Inspector findings without Security Hub aggregation enabled as a data source.

2.3 Finding Groups High exam relevance

WhatGraph-analysis-derived clusters of related findings and entities representing one likely incident

SeverityEqual to the highest ASFF severity (Critical/High/Medium/Low/Informational) among findings in the group

Threat actors typically perform a sequence of actions producing multiple isolated findings across time and entities — investigating each in isolation risks missing the bigger picture or misjudging significance. Finding groups are the recommended starting point for investigation, not individual findings.
Grouping logic considers patterns and behaviors — similar attack types or suspicious activities — to determine which findings belong together.

2.4 Finding Group Visualization

WhatInteractive graph display of entities and findings within a group

Supports multiple layouts to aid visual identification of trends, outliers, and patterns; a dynamic legend shows only icons relevant to entities actually present; similar findings are condensed to reduce noise.
Analysts can rearrange nodes, select items for more detail, and assess how interconnected the group's resources are.

2.5 Finding Group Summary (Generative AI) High — exam-fresh

WhatAutomatic natural-language summary of a finding group's top findings and threat events

Powered byAmazon Bedrock-hosted models

CostNo extra charge if Detective is enabled

On by default; can be opted out at the individual user level or via IAM role-based deny permissions.
As of Feb 2026, automatically selects the optimal regional endpoint (within your geography) via cross-region inference to generate summaries.
Feedback (thumbs up/down) helps tune prompt effectiveness but is explicitly NOT used for model tuning/training.

2.6 Informational / Evidence Findings

WhatAdditional context related to a finding group, surfaced as an "Informational" severity finding

ScopeBased on behavior graph data from the last 45 days

Highlights unusual or unknown activity that's potentially suspicious in context — e.g. a newly observed geolocation or API call within the finding's scope time.
Only viewable within Detective — these are NOT sent to Security Hub.
Location of requests is determined using MaxMind GeoIP databases.

2.7 Entity Profile Pages

CoversIAM users, IAM roles, EC2 instances, IP addresses

Shows historical activity baselines for that specific entity, so an analyst can judge whether observed behavior is actually anomalous FOR THAT ENTITY, not just unusual in a generic sense.

AWS Exam Thinking

Requirement → Keywords → Expected Answer → why every distractor fails.

Investigate root cause of a GuardDuty finding efficiently

investigateroot causerelated activity

Expected Answer

Amazon Detective

Distractor	Why it's wrong
Manually query CloudTrail in Athena	Works, but requires building the analysis yourself — far slower than Detective's pre-built graph and finding groups
`Security Hub`	Aggregates and scores findings; doesn't perform the deep graph-based entity investigation Detective does
`GuardDuty` alone	Generated the alert in the first place; has no deeper investigation/visualization capability itself

Examine multiple related findings as one incident instead of in isolation

multiple findingssingle incidentattack scope

Expected Answer

Detective finding groups

Distractor	Why it's wrong
Review each GuardDuty finding individually	Risks misjudging significance/scope — exactly the problem finding groups solve
GuardDuty Extended Threat Detection	A related but distinct concept — ETD correlates within GuardDuty itself into an Attack Sequence finding; Detective's finding groups are a separate, broader graph-based clustering across ingested findings

Quickly get a plain-language summary of a complex finding cluster

natural languagefast triagesummary

Expected Answer

Detective finding group summary (generative AI)

Distractor	Why it's wrong
Manually read every individual finding	Far slower; defeats the purpose of the automated GenAI summary capability that already exists for this

Determine whether a specific IAM role's recent activity is actually unusual for that role

historical baselineentity behavior

Expected Answer

Detective entity profile page (for the IAM role)

Distractor	Why it's wrong
GuardDuty finding alone	Tells you THIS action triggered a finding, not the role's broader historical pattern needed to judge true anomaly

Detect a brand-new threat that hasn't been flagged by any other service yet

new threatdetect

Expected Answer

Not Detective — Detective does not generate new threat findings on its own

Distractor	Why it's wrong
`Amazon Detective`	The classic trap — Detective investigates findings that already exist (mainly from GuardDuty); it is not itself a primary detection engine

Security Controls Mapping & Integrations

4 — Controls Mapping

Detective (investigative, not generative)

Detective's entire purpose is investigation/forensics on top of existing findings — it has no native control category beyond this. It is explicitly NOT preventive, NOT responsive, and NOT itself a remediation tool.

Governance

Org-wide enablement via delegated administrator, giving a centralized security team visibility into a unified, cross-account behavior graph

⚠️ Detective generates ZERO new threat findings on its own

Every actionable security finding it presents originated elsewhere (GuardDuty by default, Security Hub-aggregated findings like Inspector's optionally). Detective's only originally-generated output is informational/evidence findings — supplementary context, not new threat detections, and these never leave Detective.

5 — Integrations

GuardDuty

WhatMandatory, default data source — part of Detective's core package

PatternOne-click "Investigate" link directly from a GuardDuty finding pivots into the relevant Detective entity profile or finding group

Security Hub

WhatOptional data source — other AWS security findings (including Inspector) aggregated through Security Hub can be ingested into the behavior graph

WhyRicher finding-group correlation when more finding types are available to cluster

Amazon Bedrock

WhatPowers the generative AI finding group summaries

NoteCross-region inference (Feb 2026+) automatically selects the optimal regional endpoint for processing

Organizations

WhatDelegated administrator model, multi-account behavior graph

WhyCentralized investigation capability across every member account from one security-tooling account

CloudTrail, VPC Flow Logs, EKS Audit Logs

WhatThe raw data sources feeding the behavior graph itself

Costs, Limits & Quotas

Pricing Model

BasePay-as-you-go, priced per GB of data ingested by source type (CloudTrail, VPC Flow Logs, EKS audit logs)

Trial30-day free trial

GenAI summariesNo additional charge if Detective is already enabled

Common Cost Mistakes

Enabling Detective in accounts with extremely high CloudTrail/Flow Log volume without estimating ingestion cost first
Not realizing optional data sources (Security Hub-aggregated findings) add to the value but the underlying log ingestion is what actually drives cost

Cost Optimization

Use the 30-day trial to estimate ingestion costs against your actual log volume before org-wide rollout
Enable via delegated administrator for centralized cost visibility across accounts

Limits & Quotas

ScopeRegional service

Historical retentionUp to 1 year of behavior graph data

Informational findings windowBased on the last 45 days of behavior graph data specifically

Data source defaultGuardDuty mandatory; Security Hub-aggregated findings (incl. Inspector) optional opt-in

⚠️ Exam trap

Don't confuse the 1-year overall historical retention with the 45-day window specifically used for generating NEW informational/evidence findings related to a finding group — these are two different timeframes serving different purposes.

Best Practices & Common Exam Traps

8 — Best Practices

Must Know

Detective investigates; it does not generate new threat findings on its own
GuardDuty findings are mandatory/default; Security Hub-aggregated findings are optional
Finding groups, not individual findings, are the recommended investigation starting point
Informational/evidence findings never leave Detective — not sent to Security Hub

Good Practice

Enable Detective as a standard companion to GuardDuty, not as a standalone tool
Enable org-wide via delegated administrator
Opt into Security Hub-aggregated findings as an additional data source for richer correlation
Use entity profile pages to validate whether activity is genuinely anomalous for that specific entity

Advanced Practice

Build incident response runbooks that start at the finding-group level, using the GenAI summary as a fast initial brief before deep manual review
Use the finding group visualization to identify outlier entities/resources visually rather than purely by reading text
For privacy-conscious teams, evaluate opting out of GenAI summaries at the IAM-role level if data residency for cross-region inference is a concern

9 — Common Exam Traps

Misconception	Reality
"Detective is a threat detection service like GuardDuty"	Detective is an investigation/forensics tool — it doesn't generate new threat alerts itself, aside from supplementary informational findings
"Inspector findings automatically appear in Detective"	They only appear if you've opted into Security Hub-aggregated findings as a data source — it's not automatic like GuardDuty
"Finding group severity is an average of its findings"	It equals the HIGHEST severity finding within the group, not an average
"Informational/evidence findings show up in Security Hub too"	They are explicitly Detective-only and are never sent to Security Hub
"GenAI finding group summaries cost extra"	They're included at no additional charge as long as Detective itself is enabled

Detective vs. The Lookalikes

Service	What it actually answers
vs GuardDuty	GuardDuty generates the alert (something happened). Detective investigates the alert's broader context (what else happened, is this normal for this entity, what's the full scope)
vs Security Hub	Security Hub aggregates and scores findings across many services org-wide, including correlating them into exposure findings. Detective performs deep, graph-based forensic investigation specifically for root-cause analysis — different depth and purpose, often used together (Security Hub to prioritize WHAT to investigate, Detective to actually investigate it)
vs GuardDuty Extended Threat Detection	ETD correlates GuardDuty's own findings internally into a single Critical "Attack Sequence" finding. Detective's finding groups are a separate, broader clustering mechanism across the behavior graph, not limited to GuardDuty-internal correlation logic
vs manually querying CloudTrail/Athena	Technically possible to replicate some of Detective's value manually, but you'd be rebuilding entity-relationship graphing, historical baselining, and clustering logic yourself — Detective's entire value proposition is doing this automatically

Flashcards — 14 Cards

Click card to flip. Mark right or wrong to track score.

Click to reveal answer

1 / 14

Mark: Score: 0/0

Practice Quiz — 10 Questions

SCS-C02 scenario style, Easy → Specialty. Select an answer to reveal the explanation.

out of 10 correct