Amazon Detective reaches general availability

Overview

Amazon Detective became generally available on 31 March 2020, providing AWS customers with a managed graph-based security investigation service. Detective automatically ingests CloudTrail logs, VPC Flow Logs, and GuardDuty findings to build a behavioral graph enabling faster root cause analysis for security events. The service applies machine learning to establish baselines and surface anomalous patterns requiring investigation.

Technical Architecture

Detective creates a unified graph database correlating entities across AWS environments. The service processes CloudTrail management and data events, VPC Flow Logs, and GuardDuty findings to map relationships between IAM users, roles, IP addresses, resources, and API calls. Graph analytics enable investigators to traverse these relationships, following activity patterns across time and resource boundaries.

Machine learning models establish behavioral baselines for entities and highlight deviations warranting investigation. Rather than requiring explicit detection rules, Detective learns normal patterns from historical data and surfaces anomalies automatically. This approach complements rule-based detection in GuardDuty while accelerating triage and root cause analysis.

The visualization interface presents investigation data through interactive graphs, timelines, and summary panels. Investigators pivot from findings to related entities, examine activity over customizable time windows, and export data for documentation. The interface reduces time correlating logs across multiple consoles—a common pain point in cloud security investigations.

Integration with AWS Security Ecosystem

Detective integrates deeply with AWS security services. GuardDuty findings link directly to Detective investigations, enabling one-click pivots from detection alerts to rich investigative context. Security Hub aggregates Detective findings alongside other security services for centralized visibility.

AWS Organizations integration enables centralized management across multiple accounts. Administrators enable Detective organization-wide, configure member account access, and manage retention policies centrally. This multi-account approach aligns with enterprise landing zone patterns and consolidated security operations.

Investigation Workflow Enhancement

Detective transforms security investigation workflows by automating relationship mapping and baseline comparison that historically required manual log correlation:

• Finding triage: Rapidly assess GuardDuty findings by examining associated entity activity and determining whether behavior represents true positive or expected activity.
• Lateral movement tracking: Follow credential usage, role assumptions, and resource access across accounts and services to map attack scope.
• Baseline comparison: Compare current entity behavior against historical baselines to identify deviations indicating compromise or policy violation.
• Timeline reconstruction: Build chronological event sequences from distributed log sources to understand attack progression.

Deployment Considerations

If you are affected, plan Detective deployment strategically:

Regional coverage: Detective operates within AWS regions. Enable the service in each region containing workloads requiring investigation capabilities. Multi-region architectures require regional Detective enablement.

Cost management: Detective pricing scales with data volume ingested. High-volume environments should evaluate cost implications and consider log filtering strategies where appropriate.

Retention planning: Detective retains investigation data for up to one year. If you are affected, align retention with compliance requirements and investigation timelines.

Implementation Recommendations

Your security team should integrate Detective into existing workflows through updated playbooks, analyst training on graph navigation, and established procedures for exporting investigation documentation. The combination of GuardDuty detection and Detective investigation creates a full AWS-native security monitoring capability that reduces reliance on manual log analysis.

Machine Learning Meets Security Investigation

Security investigations are tedious. Analysts spend hours piecing together log entries, correlating IP addresses, and building timelines of suspicious activity. AWS Detective automates much of that grunt work, letting your team focus on the actual decision-making.

This is not AI replacing security analysts—it is AI making security analysts more effective. The machine handles data correlation; the human handles interpretation and response.

Getting Value from Security Analytics

Detective works best when you feed it thorough data. Enable CloudTrail, VPC Flow Logs, and GuardDuty before deploying Detective. The more context the tool has, the better its analysis.

But do not expect magic. Detective accelerates investigations; it does not replace the need for skilled analysts who can interpret findings and make response decisions. Invest in both the technology and the people who use it.

Integration with Your Security Stack

Detective does not replace your SIEM—it complements it. Think of it as a specialized tool for AWS-specific investigations that goes deeper than generic log analysis. Use your SIEM for cross-platform visibility; use Detective for AWS deep dives.

The best security operations integrate multiple specialized tools, each adding unique value. Detective fills a specific niche in AWS-centric environments.

Cost and Value Considerations

Detective pricing scales with your AWS usage. Before enabling it everywhere, run a pilot in your most security-sensitive accounts to understand the cost-benefit tradeoff for your environment.

For organizations with significant AWS footprints and active security operations teams, the time savings often justify the investment. For smaller deployments, manual investigation might still be cost-effective.

Building Investigation Workflows

Detective is a tool, not a process. You still need workflows for how investigators use it: when to escalate, how to document findings, what actions to take based on what Detective reveals.

Integrate Detective into your existing runbooks. Train your team on when and how to use it. A powerful tool only creates value when people know how to use it effectively.

Ongoing improvement

Track your investigation metrics before and after Detective deployment. How long do investigations take? How many incidents go unresolved? These metrics justify the investment and guide ongoing optimization.

Team Training

Detective has a learning curve. Budget time for your team to experiment with the tool before relying on it in active investigations. Familiarity with the interface and data relationships makes real investigations much more efficient.

AWS provides excellent documentation and training resources. Use them. The investment in learning pays off quickly when incidents occur.

Scaling Security Operations

As your AWS footprint grows, manual investigation becomes impossible. Tools like Detective let small security teams keep pace with large, complex environments. Think of automation as a force multiplier for human expertise.

The goal is not to eliminate security analysts—it is to make each analyst dramatically more effective at protecting your organization.

Measuring Effectiveness

Track mean time to investigate before and after Detective deployment. Measure how often investigations successfully identify root causes. These metrics demonstrate value and guide optimization efforts.

Organizational Readiness

Detective only creates value if your organization is ready to act on its findings. Ensure your incident response processes can handle the increased detection rate that better tools provide.

Better visibility means seeing more suspicious activity. Make sure your team has capacity to investigate what Detective reveals.

Long-Term Strategy

Think about how Detective fits into your security roadmap. As AWS releases new features and integrations, maintain expertise and update your workflows accordingly. Security tooling requires ongoing attention, not just initial deployment.

Competitive Analysis

Detective is not the only option for AWS security investigation. Evaluate it against third-party SIEM and SOAR platforms that also support AWS. Each tool has strengths; the right choice depends on your specific environment and team capabilities.

Consider whether native AWS integration or cross-cloud coverage matters more for your organization. The best tool is the one your team will actually use effectively.

See also

Selected articles on related subjects.

AI · Credibility 87/100 · September 28, 2023

Amazon Bedrock General Availability

AWS made Amazon Bedrock generally available with managed access to Titan, Anthropic, Cohere, and Stability foundation models, guardrails tooling, and knowledge base integrations—pushing governance teams to formalize…

AI · Credibility 90/100 · April 30, 2024

AI Enablement — Amazon Q General Availability

AWS made Amazon Q Business and Amazon Q Developer generally available, publishing pricing, data-guardrail controls, and enterprise rollout guidance for the generative AI assistants.

AI · Credibility 92/100 · February 27, 2020

OECD Launches AI Policy Observatory — February 27, 2020

Expanded briefing on the OECD AI Policy Observatory launch, highlighting platform features, policy insights, data coverage, and guidance for governments, industry, and researchers in implementing the OECD AI Principles.

AI · Credibility 73/100 · May 5, 2020

IBM launches Watson AIOps for incident automation

IBM announced Watson AIOps on May 5, 2020, applying natural language processing and machine learning to logs, metrics, and tickets to surface probable causes and automate remediation workflows on OpenShift and…

AI · Credibility 91/100 · February 19, 2020

AI — European Commission

The European Commission released its White Paper on Artificial Intelligence and a European data strategy, signaling forthcoming risk-based AI regulation and data governance rules for high-risk sectors.

Continue in the AI pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Governance Implementation Guide

  Operationalise the EU AI Act, ISO/IEC 42001, and U.S. OMB M-24-10 requirements with accountable inventories, controls, and reporting workflows.

• AI Incident Response and Resilience Guide

  Coordinate AI-specific detection, escalation, and regulatory reporting that satisfy EU AI Act serious incident rules, OMB M-24-10 Section 7, and CIRCIA preparation.

• AI Procurement Governance Guide

  Structure AI procurement pipelines with risk-tier screening, contract controls, supplier monitoring, and EU-U.S.-UK compliance evidence.

Coverage intelligence

Published

March 31, 2020

Coverage pillar

AI

Source credibility

91/100 — high confidence

Topics

Amazon Detective · AWS · threat detection

Sources cited

3 sources (aws.amazon.com, docs.aws.amazon.com)

Reading time

6 min

Cited sources

1. Amazon Detective — AWS
2. Detective User Guide — AWS
3. AWS Security Best Practices — AWS