Scaler
Academy
Data Science
Neovarsity
New
Skill Test
Free Masterclass
Search for Articles, Topics
AWS Tutorial
AWS Detective

AWS Detective

By Swarnabha Sinha
9 mins read
Last updated: 4 May 2023
163 views
Learn via video courses
Topics Covered

Overview

Amazon Detective is a multi-account service that collects data from monitored member accounts under a single management account within the same region. Amazon Detective simplifies the analysis, investigation, and rapid identification of authentication issues. Your AWS resources' log data are collected by it. It creates a linked set of data using machine learning, statistical analysis, and graph theory so you can carry out security `investigations more quickly and effectively.

What is AWS Detective?

Millions of people, small businesses, giant corporations, and even government organizations rely on AWS to provide reliable infrastructure quickly and affordably. Organizations frequently need help comprehending how they can protect and secure their data and clients, given the complexity of today's data. But Amazon Detective is one solution that streamlines all these procedures by enabling your security teams to pinpoint the source of the problem quickly. You may rapidly identify the underlying causes of questionable behavior with a Detective, making it easy to analyze and investigate. The following services provide numerous data logs to AWS Detective:

  • Virtual Private Cloud (VPC) Flow logs: A VPC's built-in provision for capturing data about how network resources are flowing into and out of the VPC is called a flow log.
  • AWS CloudTrail: CloudTrail is AWS's "Management and Governance" tool. Every API call made to other resources in the account is recorded in a log and is auditable by the owners.
  • Amazon GuardDuty: You can identify threats and their behaviour using the AWS-managed monitoring solution for cloud security known as Amazon GuardDuty.

AWS Detective Features

Interactive Visualizations For Efficient Investigation

Millions of events from many data sources, including AWS CloudTrail, Virtual Private Cloud (VPC) Flow Logs, and Amazon GuardDuty, can be processed by Amazon Detective. Over time, a single, interactive representation of your resources, people, and interactions is automatically created.

Automatic Data Collection Across All your AWS Accounts

Amazon Detective automatically receives and analyses pertinent data from all enabled accounts. No data source configuration or authorization is required. Only events from data sources like AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty findings are collected and analyzed by Amazon Detective, which also keeps a year's worth of aggregated data for analysis.

Seamless Integration for Investigating a Security Finding

AWS Detective is integrated with AWS security services such as Amazon GuardDuty and AWS Security Hub. AWS partner security products help quickly investigate security findings identified in these services.

Use Cases of AWS Detective

Threat Hunting

By allowing users to concentrate on specific resources like IP addresses, AWS accounts, VPCs, and EC2 instances and by offering in-depth visualizations of actions related to those resources, Amazon Detective aids in the threat-hunting process. It shows time-based analysis and has the capability to dig in, observe all activity during a specific time, and identify deviations from the norm. Threat hunting is a proactive analysis using specific hints or ideas to find undiscovered threats.

Incident Investigation

Amazon Detective provides incident investigation. Additionally, some security findings necessitate a thorough investigation to ascertain the scope, effect, and underlying cause of any hostile behavior. Users can access Amazon Detective when AWS Security services like Amazon GuardDuty report results. There, they can see the immediate context and activity surrounding the finding, drill down into pertinent historical activities to spot unusual patterns, and quickly ascertain the nature and scope of the root cause and the activity that contributed to it.

Triage Security Findings

Users can quickly determine whether a finding is a malicious activity or a false positive by using `Amazon DeteDetective's alizations to see what resources, IP addresses, and AWS accounts are connected to that finding, related findings, and activity that occurred close in time or location to that finding. Triage is frequently used as the initial stage of an inquiry to determine whether a result is a genuine security risk or a false positive.

AWS Detective Terms and Concepts

The following terms and concepts are crucial for understanding. Some of the terminology and concepts used by AWS detectives include the following:

  • Administrator Account: The AWS account owns a behavior graph and uses the behavior graph for investigation. Administrator accounts can view data usage for the behavior graph and delete member accounts from the behavior graph.
  • Behavior Graph: A linked set of data created from incoming source data associated with one or more AWS accounts. Each behavior graph uses the same findings, entities, and relationship structure.
  • Delegated Administrator Account: In AWS Organizations, the delegated administrator account for a service manages the use of a service for the organization. In Detective, the Detective administrator account is also the delegated administrator account, unless the Detective administrator account is the organization management account. The organization management account cannot be a delegated administrator account. In Detective, self-delegation is allowed. An organization management account can delegate their account to the delegated administrator of the Detective but this would be registered or remembered only in the scope of the Detective and not of Organizations.
  • Investigation: It is the process of performing triage on suspicious or interesting activity, determining the scope, getting to its underlying source or cause, and then determining how to proceed.
  • Profile: A single page gives a collection of data visualizations related to the activity of an entity. It provides information to support an investigation into a finding or a general hunt for` suspicious activity.
  • Relationship: Activities that take place between distinct entities. Additionally, relationships are drawn from the incoming source data`. A relationship, like an entity, has a type that describes the kinds of entities involved and the relationship's direction.
  • Scope Time: The time window used to scope the data displayed on profiles. The default scope time for a finding reflects the first and last times when a suspicious activity was observed. The default scope time for an entity profile is the previous 24 hours.

How does AWS Detective Work?

To create a view of typical resource interactions and behaviors across time, Detective gathers time-based events from data sources, such as API requests, log-in attempts, and network traffic.

Detective establishes a baseline so that it may assess whether certain actions, like API calls, are typical for the role making the call or whether traffic spikes from a certain instance are unusual. How does AWS Detective work

AWS Detective must be turned on in the AWS management console.

Security warnings and monitoring are offered through the services: GuardDuty, Amazon Inspector, and Amazon Security Hub. These services are improved by Detective, which also differs in the following aspects.

  • Protecting AWS accounts against things like port scanning, penetration testing, and even bitcoin mining is done by GuardDuty, which also automates threat detection and offers continuous monitoring for unexpected or harmful behavior. GuardDuty activities and log data, which may be ingested into other security products, provide the platform for centralized monitoring of AWS accounts at scale.
  • By offering application-level security assessments, `Amazon Inspector simplifies network and host-based security analysis and improves AWS's overall security.
  • To help you spot trends and create a more sophisticated security posture that will allow you to respond to a wider range of security threats, AWS Security Hub compiles security data from AWS and outside sources.
  • You can look into security incidents or potential risks using Amazon Detective to gather data from a variety of sources. Detective gathers terabytes of log data, integrates, transforms, and displays it to help identify anomalies before conducting an investigation. You can now conduct investigations more successfully and swiftly as a result of this. AWS management console chart

Enable AWS Detective

To enable Detective (via Console):

  • Log in and open the AWS Management Console. Then open the Detective console at https://console.aws.amazon.com/detective/.
  • Select Get started.
  • Align administrator accounts (recommended) on the Enable Amazon Detective page to align the administrator accounts with Amazon GuardDuty, AWS Security Hub, and AWS Detective.
  • Attach IAM policy (required) contains an IAM policy with the permissions that are required to enable Detective and manage a behavior graph. The policy should already be attached to your principal. If it is not yet attached, choose Copy IAM policy to copy the policy so that you can attach it. Confirm that the required IAM policy is in place.
  • You can add tags to the behavior graph in the Add tags section. Do the following to add a tag:
    • Select Add new tag.
    • Enter the tag's name as the Key.
    • Enter the tag's value under Value.
  • Select the Remove option for a tag if you want to remove it.
  • Select Enable Amazon Detective.
  • You can invite member accounts to your behavior graph once Detective is enabled. Select Add members now to get to the Account management page.

FAQs

Q: What does Amazon Detective do?

A: Your AWS resources' log data is automatically stored by Amazon Detective, which also applies statistical analysis, graph theory, and machine learning to create a linked set of data that helps you to carry out security investigations more quickly and effectively.

Q: What Guidance does Amazon Detective provide on How to Investigate a Security Issue?

A: Amazon Detective offers a variety of visualizations that present context and insights about AWS resources such as AWS accounts, EC2 instances, users, roles, `IP addresses, and Amazon GuardDuty findings

Q: What are Detective controls in AWS?

A: The AWS Detective Controls make sure that the AWS KMS is correctly set to log the data you need, to have more visibility into your environment.

Q: What is a Control Tower in AWS?

A: It is an AWS Cloud service that administers and scales governance rules for security, operations, and compliance across your organizations and accounts.

Q: What is a Security Hub in AWS?

A: Security Hub in AWS is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.

Q: What are the Key Benefits of Amazon Detective?

A:

  • Security teams may conduct investigations more quickly and efficiently, thanks to Amazon Detective's investigation-process simplification. With the aid of prebuilt data aggregations, summaries, and context provided by Amazon Detective, you can swiftly assess and ascertain the type and scope of any security vulnerabilities.
  • A series of visualizations created by Amazon Detective highlight changes in the type and volume of activity over a chosen time window and connect those changes to security findings. It keeps track of up to a year's worth of aggregated data and makes it easily accessible.
  • There are no up-front expenses, and you pay for the events examined; installing additional software or enabling log feeds is not needed.

Q: How much does Amazon Detective cost?

A: The cost of Amazon Detective is determined by the amount of information it receives from sources like AWS CloudTrail logs, Amazon's VPC Flow Logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and Amazon GuardDuty results. Each account/region/month incurs a Gigabyte (GB) ingesting fee. For its analysis, Amazon Detective keeps data that has been gathered for up to a year.

Q: Is there a Free Trial?

A: Yes, new accounts to Amazon Detective are eligible to try the service for free for 30 days. During the free trial, you will have access to all features.

Q: Is Amazon Detective a Regional or Global Service?

A: Amazon Detective is a regional service. You must enable Amazon Detective region by region to swiftly examine behavior across your accounts in each location. This guarantees that the data being analyzed is local and does not cross AWS regional boundaries.

Conclusion

  • Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Detective automatically collects log data from your AWS resources.
  • AWS Detective helps in Interactive visualizations for efficient investigation. It ingests and processes relevant data from all enabled accounts automatically.
  • In this article, we also learned how AWS Detective works.
  • This article explained the responsibilities of GuardDuty, Amazon Inspector, and Amazon Detective.
  • Ultimately, we learned how to enable AWS Detective on the AWS Console.