Amazon Detective makes it easier to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.

Amazon Detective can analyze trillions of events from multiple data sources such as Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, AWS CloudTrail logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and Amazon GuardDuty findings, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.

Automatic data collection across all your AWS accounts

Amazon Detective automatically ingests and processes relevant data from all enabled accounts. You don't have to configure or enable any data sources. Amazon Detective collects and analyzes events from data sources, such as AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon EKS audit logs, and Amazon GuardDuty findings, and maintains up to a year of aggregated data for analysis.

Consolidates disparate events into a graph model

Amazon Detective can analyze trillions of events from many separate data sources about the IP traffic, AWS management operations, and malicious or unauthorized activity to construct a graph model that distills log data using machine learning, statistical analysis, and graph theory to build a linked set of data for security investigations. The graph model is prebuilt with security-related relationships and summarizes contextual, and behavioral insights that enable you to quickly validate, compare, and correlate the data to reach conclusions. Amazon Detective’s visualizations are powered by the graph model enabling you to rapidly answer your investigative questions without the complexity of querying raw logs. For example, the graph provides context and relationships around when an IP addresses connected to an EC2 instance, and the API calls that a role has issued in a specific time period.

Interactive visualizations for efficient investigation

Amazon Detective provides interactive visualizations that makes it easy to investigate issues faster and more thoroughly with less effort. With a unified view that enables you to visualize all the context and details in one place, it is easier to identify patterns that may validate or refute a security issue, and to understand all of the resources impacted by a security finding. Using these visualizations, you can easily filter large sets of event data into specific timelines, with all the details, context, and guidance to help you quickly investigate. Amazon Detective enables you to view login attempts on a geolocation map, drill down into relevant historical activities, and quickly determine a root cause and, if necessary, take action to resolve the issue.

Newly observed geolocations

The graph visualization shows you related Amazon GuardDuty findings and affected resources from a single security event, such as EC2 instances, IAM roles and users, S3 buckets, and IP addresses. This helps you in investigating unusual or suspicious activity.

Overall API call volume

The Overall API call volume shows you successful and failed calls in a specific time period and compares it to the established baseline. This helps you to identify patterns of abnormal activity and validate a security finding.

Seamless integration for investigating a security finding

Amazon Detective is integrated with AWS security services such as Amazon GuardDuty and AWS Security Hub as well as AWS partner security products to help quickly investigate security findings identified in these services. Using a single-click from these integrated services you can go to Amazon Detective and immediately see events related to the finding, drill down into relevant historical activities and investigate the issue. For example, from an Amazon GuardDuty finding, you can launch Amazon Detective by clicking on “Investigate” that provides instant insight into the relevant activity for the involved resource, giving you the details and context to quickly decide whether the detected finding reflects actual suspicious activity.

Simple deployment with no upfront data source integration or complex configurations to maintain

With few clicks in the AWS Management Console, you can enable Amazon Detective. There is no software to deploy, agents to install, or complex configurations to maintain. There are also no data sources to enable, which means you do not have to incur the costs of data source enablement, data transfer, and data storage.

Read the documentation
Read the documentation

Learn more about Amazon Detective capabilities and implementation by reading the documentation.

Read documentation 
Sign up for an AWS account
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Getting started
Get started with Amazon Detective

Get started building with Amazon Detective.

Get started