What is Amazon Detective & how to enable it?
May 30, 2020 / Eternal Team
What is Amazon Detective ?
- Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.
- AWS security services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub as well as partner security products can be used to identify potential security issues, or findings. These services are really helpful in alerting you when something is wrong and pointing out where to go to fix it. But sometimes there might be a security flaw where you need to dig a lot deeper and analyze more information to isolate the root cause and take action. Determining the root cause of security findings can be a complex process that often involves collecting and combining logs from many separate data sources, using extract, transform, and load (ETL) tools or custom scripting to organize the data, and then security analysts having to analyze the data and conduct lengthy investigations.
- Amazon Detective simplifies this process by enabling your security teams to easily investigate and quickly get to the root cause of a finding. Amazon Detective can analyze trillions of events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause.
- You can get started with Amazon Detective in just a few clicks in the AWS Console. There is no software to deploy, or data sources to enable and maintain.
Benefits Of Amazon Detective
- Faster and more effective investigations
- Amazon Detective presents a unified view of user and resource interactions over time, with all the context and details in one place to help you quickly analyze and get to the root cause of a security finding. For example, an Amazon GuardDuty finding, like an unusual Console Login API call, can be quickly investigated in Amazon Detective with details about the API call trends over time, and user login attempts on a geolocation map. These details enable you to quickly identify if you think it is legitimate or an indication of a compromised AWS resource. AWS resource.
- Save time and effort with continuous data updates
- Amazon Detective automatically processes terabytes of event data records about IP traffic, AWS management operations, and malicious or unauthorized activity. It organizes the data into a graph model that summarizes all the security-related relationships in your AWS environment. Amazon Detective then queries this model to create visualizations used in investigations. The graph model is continuously updated as new data becomes available from AWS resources, so you spend less time managing constantly changing data.
- Easy to use visualizations
- Amazon Detective produces visualizations with the information you need to investigate and respond to security findings. It helps you answer questions like ‘is this normal for this role to have so many failed API calls?’ or ‘is this spike in traffic from this instance expected?’ without having to organize any data or develop, configure, or tune your own queries and algorithms. Amazon Detective maintains up to a year of aggregated data that shows changes in the type and volume of activity over a selected time window, and links those changes to security findings.
Enable Amazon Detective
You can enable Amazon Detective from the AWS Management Console.
- Sign in to the AWS Management Console, then open the Detective console
- hoose Get started.
- On the Enable Amazon Detective page, review the provided information.
- Align master accounts (recommended) explains the recommendation to align the master accounts between Detective and Amazon GuardDuty and AWS Security Hub
- Attach IAM policy (required) contains the IAM policy that is required to enable Detective and manage a behavior graph. The policy should already be attached to your principal.
- If it is not yet attached, choose Copy IAM policy to copy the policy so that you can attach it.
- Confirm that the required IAM policy is in place. Then choose Enable Amazon Detective.
- After you enable Detective, you can invite member accounts to your behavior graph.
- To navigate to the Account management page, choose Add members now.
Enabling Detective (Detective API, AWS CLI)
You can enable Amazon Detective from the Detective API or the AWS Command Line Interface.
- To enable Detective (Detective API, AWS CLI)
- Detective API: Use the CreateGraph operation.
- AWS CLI: At the command line, run the create-graph command.
$ aws detective create-graph