When you are monitoring your AWS infrastructure for security alerts, not all security signals can be remediated automatically. Large or complex environments can generate multiple security flags (repeatedly) that need to be manually investigated in detail. This requires access to sometimes complex metadata to thoroughly investigate which may place a strain on your in-house security skills or may even require you to find the budget for a dedicated security expert.

There are also increased storage requirements and costs when you start collecting security log data and costs associated with processing this data to identify potential security issues.

What is Amazon Detective?

Amazon Detective ingests security data automatically, so there are no requirements to organize data, set up and tune queries or script any algorithms to monitor for security events. There are also no upfront cost for collecting the data and there are no additional software subscriptions or software to deploy. You simply pay for the security events you analyze using Detective.

How does Amazon Detective work?

Detective builds a baseline so it can determine whether things like API calls are typical for the role making the call, or if traffic spikes from a particular instance are out of character.

Guard Duty, Amazon Inspector and Amazon Security Hub are all services providing security alerts and monitoring. Detective enhances these services and also differs in the following ways.

Guard Duty manages threat detection, provides continuous monitoring for unusual or malicious behaviour and protects AWS accounts from things like port scanning, penetration testing and even bitcoin mining. Guard duty activity and log data can be ingested into other security tools and provides a platform for centralized monitoring of AWS accounts at scale.

Amazon Inspector automates network and host-based security analysis and enhances the overall security of AWS by providing application level security assessments.

AWS Security Hub aggregates security data from AWS and external sources to help identify trends and establish a more advanced security posture enabling you to react to a wider range of security threats.

Amazon Detective enables you to investigate security events or potential threats from a wide source of information. Detective collects and integrates terabytes of log data and and transforms it for analysis while providing visualizations to help spot anomalies. This allows you to conduct investigations faster and more effectively.

How to use Amazon Detective.

Incident investigation is another main function of Amazon Detective. Once an incident is identified, Detective can provide some context around the network and resource activity like what API calls were made and what IP address did they originate from. What other network resources communicated with the same IP address which helps formulate a picture of the scope of the incident and the potential impact on your systems and data.

With a potential security incident identified, you can use Amazon Detective to target the threat by hunting out all the activity related to the offending IP address. What instances has the target communicated with over the past year, what other API calls have they made. The historical view and visualization assists with surfacing potential threats.

Amazon Detective key concepts.

Behaviour Graph


Account Structure

Profile Panel Visualizations

Scope Time

What does it cost.

First 1000 GB $2.00/GB

Next 4000 GB $1.00/GB

Next 5000 GB $0.50/GB

Over 10k GB $0.25/GB

There is a fully featured Amazon Detective 30 Day Free trial available.

What do you need to start using Amazon Detective?

Amazon Guard Duty. You will need a GuardDuty service that has been running for more that 48 hours to enable Detective. This is required for Detective to determine the volume of log data it will need to ingest.

Permissions Policy — If you are not an administrator, you will need to attach a permissions policy to your IAM principle before you can enable detective. You can also use an existing IAM user or role, or create a specific user/role with the appropriate permissions for initiating Amazon Detective.

You can enable Detective from the Detective Console, the Detective API or from the AWS CLI

What happens next?

To enable Detective, you will already have GuardDuty running. You should sync the management account of GuardDuty with Detective.

The default frequency for Cloudwatch notifications within the GuardDuty detectors is 6 hours. This means Detective may not receive alerts for a potential incident for many hours. AWS advise that the Cloudwatch notification frequency should be reduced to 15 minutes when using Amazon Detective. This does not increase the pricing of GuardDuty.

Ensure you enable Detective separately in each region that you have workloads. You can use cloudformation for detective and detective multi-account scripts for this.

Ensure your IAM policy permissions include the permissions required for detective like “detective:Get*” “detective:CreateGraph” etc



Synchronize the management account of Security Hub with Detective.


Detective is a fairly advanced solution for detecting and assessing suspicious activity and events as they occur or shortly after. One of the diagrams built when you connect your AWS accounts to Hava.io is the Security View diagram.

This interactive diagram will document all the security groups defined in your AWS account and visualizes the open ports detailing the ingress and egress points in the network.

Selecting a security group on the diagram will change the right hand security pane which will display all the settings, metadata and connected resources related to the security group.

This diagram allows your security team to spot vulnerabilities and resolve them before any real traffic is detected by Amazon Detective and the other services detailed above.

To try out the security view, you can trial Hava for free at https://www.hava.io

Originally published at https://www.hava.io.

Tech Writer, Developer, Marketer and Generator of Leads.