Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Table of contents
Amazon Detective features
Amazon Detective terms and concepts
Security in Amazon Detective
Frequently asked questions
What does an Amazon detective do?
What guidance does Amazon Detective provide on how to investigate a security issue?
What are detective controls in AWS?
What is a control tower in AWS?
What is a security hub in AWS?
Last Updated: Mar 27, 2024

Amazon detective

Master Python: Predicting weather forecasts
Ashwin Goyal
Product Manager @


Amazon Detective is a multi-account service that collects data from monitored member accounts under a single management account within the same region. Amazon Detective simplifies the analysis, investigation, and rapid identification of authentication issues. It collects log data from your AWS resources. It uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to conduct faster and more efficient security investigations. 


Now, Let's understand the Amazon Detective features.

Amazon Detective features

The features of Amazon detective are as follows:-

Interactive visualizations for efficient investigation

Amazon Detective can operate millions of events from multiple data sources such as AWS CloudTrail, Virtual Private Cloud (VPC) Flow Logs, and Amazon GuardDuty. It automatically creates a unified, interactive view of your resources, users, and their interactions over time.

Interactive visualizations for efficient investigation

Amazon Detective provides interactive visualizations that make it easy to investigate issues faster and more thoroughly with less effort. With a unified view that tells you to visualize all the features and details in one place, it is accessible to understand all of the resources impacted by a security finding and recognize the patterns that may refute or validate a security issue.

Automatic data collection across all your AWS accounts

It ingests and processes relevant data from all enabled accounts automatically. You don't have to configure or allow any type of data source. Amazon Detective only collects and analyzes events from data sources, such as AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty findings, and maintains a year of aggregated data for analysis.

Seamless integration for investigating a security finding

Amazon Detective is integrated with AWS security services such as Amazon GuardDuty and AWS Security Hub. AWS partner security products help quickly investigate security findings identified in these services.

Let's deep dive into the Amazon Detective terms and concepts

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job

Amazon Detective terms and concepts

The following terms and concepts are essential for understanding Here are some of the following amazon detective terms and concepts:

Administrator account

The AWS account owns a behavior graph and uses the behavior graph for investigation. Administrator accounts can view data usage for the behavior graph and delete member accounts from the behavior graph.

Behavior graph

A linked set of data created from incoming source data associated with one or more AWS accounts.

Each behavior graph uses the same findings, entities, and relationship structure.

Delegated administrator account 

In Organizations, the designated administrator account for a service can manage the use of a benefit for the organization. It is the delegated administrator account unless the Detective administrator account is the account of organization management.


Performing triage on exciting or suspicious activity determines the scope, getting to its cause or underlying source, and then deciding how to proceed further.


A single page gives a collection of data visualizations related to the activity of an entity. It provides information to support an investigation into a finding or a general hunt for suspicious activity.


Activity that happens between individual entities. Relationships are also taken from the incoming source data. Like an entity, a relationship has a type, which identifies the types of entities involved and the direction of the connection.

Scope time

The time window is used to scope the data displayed on profiles.

The default scope time for a finding reflects the first and last times when the suspicious activity was observed. The default scope time for an entity profile is the previous 24 hours.

We will now understand the Security in Amazon Detective.

Security in Amazon Detective

Security is a mutual responsibility between the user and AWS. According to the shared responsibility model, the security of the cloud and security in the cloud can be stated as:

  • Security of the cloud – only AWS is responsible for protecting the AWS services infrastructure in the AWS Cloud. It also gives you services that can be used securely. 
  • Security in the cloud – Your responsibility is controlled by the AWS service you use. And hence you are also responsible for other factors, including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.

Since you get some idea of the Detective in Amazon, We will now close the article with faqs.

Must read, Amazon Hirepro

Frequently asked questions

What does an Amazon detective do?

Amazon Detective automatically stores log data from your AWS resources and utilizes statistical analysis, graph theory, and machine learning to build a linked set of data that enables you to conduct faster and more efficient security investigations.

What guidance does Amazon Detective provide on how to investigate a security issue?

Amazon Detective offers a variety of visualizations that present context and insights about AWS resources such as AWS accounts, EC2 instances, users, roles, IP addresses, and Amazon GuardDuty findings.

What are detective controls in AWS?

The Detective Controls in AWS ensures that you have appropriately configured the AWS KMS to log the required information you need to gain greater visibility into your environment.

What is a control tower in AWS?

It is a service that enforces and manages governance rules for security, operations, and compliance at scale across all your organizations and accounts in the AWS Cloud.

What is a security hub in AWS?

Security Hub in AWS is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.


This article extensively discusses Amazon detective, its features, and what are the terms and conditions of amazon detective. We also mentioned the security of Amazon detectives.

After reading about the Amazon detective, are you not feeling excited to read/explore more articles on the topic of AWS? Don't worry; Coding Ninjas has you covered. To learn, see Introduction to AWSAWS FeaturesManaging Devices with AWS IoTAWS Amplify, and AWS Cost & Usage Report.

Refer to our Guided Path on Coding Ninjas Studio to upskill yourself in Data Structures and Algorithms, Competitive Programming, JavaScript, System Design, and many more! If you want to test your competency in coding, you may check out the mock test series and participate in the contests hosted on Coding Ninjas Studio! But if you have just started your learning process and are looking for questions asked by tech giants like Amazon, Microsoft, Uber, etc., you must look at the problemsinterview experiences, and interview bundle for placement preparations. 

Nevertheless, you may consider our paid courses to give your career an edge over others! 

Do upvote our blogs if you find them helpful and engaging!

Happy Learning!

Previous article
AWS Cloud Directory
Next article
Amazon GuardDuty
Live masterclass