Amazon Detective FAQs

General

Amazon Detective makes it easier to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.

Amazon Detective simplifies the investigative process and helps security teams conduct faster and more effective investigations. Amazon Detective’s prebuilt data aggregations, summaries, and context help you to quickly analyze and determine the nature and extent of possible security issues. Amazon Detective maintains up to a year of aggregated data and makes it easily available through a set of visualizations that shows changes in the type and volume of activity over a selected time window, and links those changes to security findings. There are no upfront costs and you pay only for the events analyzed, with no additional software to deploy or log feeds to enable.

Amazon Detective extracts time-based events such as login attempts, API calls, and network traffic from AWS CloudTrail, Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, Amazon GuardDuty findings, AWS Security Hub findings, and Amazon Elastic Kubernetes Service (Amazon EKS) audit logs. Detective creates a behavior graph that utilizes machine learning (ML) to create a unified, interactive view of your resource behaviors and their interactions over time, specifically for these time-based events. By exploring the behavior graph, you can analyze security events such as failed login attempts, suspicious APIs call, or finding groups to help you in investigating the root cause of your AWS Security Findings.

Threat actors often perform a series of actions when attempting to compromise your AWS environment, which can result in multiple security findings across your AWS resources. Finding groups are collections of security findings and resources that are associated with a single potential security incident you should investigate together. Finding groups can help reduce triage time because you don’t have to investigate each individual security finding separately. You can start your investigation with finding groups, which offer a more complete understanding of the incident. It also offers interactive visualizations that allows you to explore specific findings and insights using generative AI to describe the chain of events in natural language. For more information read Analyzing finding groups.

Automated investigations allow you to investigate AWS Identity and Access Management (IAM) entities, such as IAM users or roles, to determine if these entities are potentially compromised. Automated investigations achieve this by querying your behavior graph and using machine learning to identify if the IAM entity exhibits anomalous behavior or shows indicators of compromise (IoC). These IoCs may include potentially malicious activities, such as impossible travel logins, associations with known bad IP address, and a history of security findings. Instead of analyzing AWS CloudTrail logs and developing your own scripts to spot suspicious activity, you can save time by using automated investigations to answer questions like, ‘has this IAM role been used in impossible travel logins?’ or ‘was this IAM role session used by a known bad IP address?’, or ‘what tactics, techniques, and procedures (TTP) did this IAM principal role trigger during a security event?’ For more information, please refer to the Amazon Detective user guide.

Amazon Detective pricing is based on the volume of data ingested from AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, Amazon GuardDuty findings, and findings sent from integrated AWS services to AWS Security Hub. You are charged per Gigabyte (GB) ingested per account/region/month. Amazon Detective maintains up to a year of aggregated data for its analysis. Please see the Amazon Detective pricing page for the latest pricing information. Amazon EKS and AWS Security Hub findings are optional data sources which you can disable if you don’t want Detective to ingest those data sources.

Yes, any new account to Amazon Detective can try the service for 30-days at no cost. You will have access to the full feature set during the free trial.  

Amazon Detective needs to be enabled on a region by region basis and enables you to quickly analyze activity across all your accounts within each region. This ensures all data analyzed is regionally based and doesn’t cross AWS regional boundaries.

The regional availability of Amazon Detective is listed here: AWS Region Table.

Getting started with Amazon Detective

Amazon Detective can be enabled with a few clicks in the AWS Management console. Once enabled Amazon Detective automatically organizes data into a graph model and the model is continuously updated as new data becomes available. You can experience Amazon Detective and begin investigating for potential security issues.

You can enable Amazon Detective from within the AWS Management Console or by using the Amazon Detective API. If you are already using the Amazon GuardDuty or AWS Security Hub Consoles, you should enable Amazon Detective with the same account that is the administrative account in Amazon GuardDuty or AWS Security Hub to enable the best cross-service experience.

Yes, Amazon Detective is a multi-account service that aggregates data from monitored member accounts under a single administrative account within the same region. You can configure multi-account monitoring deployments in same way that you configure administrative and member accounts in Amazon GuardDuty and AWS Security Hub.

Amazon Detective enables customers to view summaries and analytical data associated with Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, AWS CloudTrail logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, AWS Security Hub findings, and Amazon GuardDuty findings.

Yes, you can use Amazon Detective if you do not have Amazon GuardDuty activated in the account. You can use Amazon Detective to get detailed summaries, analysis, and visualizations of the behaviors and interactions amongst your AWS accounts, EC2 instances, AWS users, roles, and IP addresses. This information can be very useful in understanding security issues or operational account activity. Amazon GuardDuty is a service in the Prescriptive Guidance - AWS Security Reference Architecture (SRA) as part of the “Key implementation guidelines of the AWS SRA”.

Amazon Detective starts collecting log data as soon as it is enabled and provides visual summaries and analytics on the ingested data. Amazon Detective also provides comparisons of recent activity against historical baselines which are established after two weeks of account monitoring.

Yes, you can export AWS CloudTrail logs and Amazon VPC Flow Logs using an integration with Amazon Security Lake. You can review how the integration works under the ‘Amazon Detective for Amazon Security Lake section’.

Amazon Detective conforms to the AWS shared responsibility model, which includes regulations and guidelines for data protection. Once enabled, Amazon Detective will process data from AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon EKS audit logs, findings sent from integrated AWS services to AWS Security Hub, and Amazon GuardDuty findings for any accounts where it has been turned on.

Amazon Detective has no impact on the performance or availability of your AWS infrastructure since Amazon Detective retrieves the log data and findings directly from the AWS services.

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With AWS Security Hub, you have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. Amazon Detective simplifies the process of investigating security findings and identifying the root cause. Amazon Detective analyzes trillions of events from multiple data sources such as Amazon VPC Flow Logs, AWS CloudTrail logs, Amazon EKS audit logs, findings sent from integrated AWS services to AWS Security Hub, and Amazon GuardDuty findings and automatically creates a graph model that provides you with a unified, interactive view of your resources, users, and the interactions between them over time.

Amazon Detective enables you to analyze and visualize security data from your AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon EKS audit logs, findings sent from integrated AWS services to AWS Security Hub, and Amazon GuardDuty findings. To stop Amazon Detective from analyzing these logs and findings for your accounts please disable the service by using the API or from the settings section in the AWS Console for Amazon Detective.

Working in the Amazon Detective console

Amazon Detective provides a variety of visualizations that present context and insights about AWS resources such as AWS accounts, EC2 instances, users, roles, IP addresses, and Amazon GuardDuty findings. Each visualization is designed to answer specific questions that may come up as you analyze findings and the related activity. Each visualization provides textual guidance that clearly explains how to interpret the panel and use its information to answer your investigative questions.

Amazon Detective supports cross-service user  workflows by supporting console integrations with Amazon GuardDuty, AWS Security Hub, and Amazon Security Lake. GuardDuty and Security Hub provide links from within their consoles that redirect you from a selected finding directly to an Amazon Detective page containing a curated set of visualizations for investigating the selected finding. Amazon Detective provides pre-built queries based on your investigations that can query and download log files from Amazon Security Lake. The findings detail page in Amazon Detective is already aligned to the timeframe of the finding and shows relevant data associated with the finding.

Various partner security solution providers have integrated with Amazon Detective to enable investigation steps within their automated playbooks and orchestrations. These products present links from within the response workflows that redirect users to Amazon Detective pages containing visualizations curated for investigating findings and resources identified within the workflow.

Amazon Detective for AWS Security Hub

Once enabled, Amazon Detective automatically and continuously analyzes and correlates user, network, and configuration activity for AWS services integrated with AWS Security Hub. Amazon Detective automatically ingests security findings forwarded from AWS security services to AWS Security Hub through the optional data source called AWS Security Findings.

AWS Security Hub supports integrations with several AWS Services. With the expectation of sensitive data findings from Amazon Macie, you’re automatically opted in to all other AWS service integrations with Security Hub. If you’ve turned on Security Hub and any of the integrated services, those services will send findings to Security Hub. Detective ingests those findings and adds them to your graph so you can conduct security investigations for all integrated AWS Services. Those services include AWS Config, AWS Firewall Manager, Amazon GuardDuty, AWS Health, AWS Identity and Access Management Access Analyzer, Amazon Inspector, AWS IoT Device Defender, Amazon Macie, and AWS Systems Manager Patch Manager.

By default, AWS security findings are enabled as a data source for new accounts using Detective. You may need to enable this data source if you were using Detective before support for AWS security findings was released. You can follow the steps listed in AWS security findings from the Administrative Guide to confirm data sources for Detective. This data source should be enabled for each region where you plan to use Detective.

Amazon Detective consumption of AWS security findings designed to not affect the performance of your AWS security services, as Amazon Detective consumes the security findings using independent and duplicative log streams. In this manner, Amazon Detective consumption of your AWS security findings will not increase your costs for using AWS Security Hub or any integrated AWS security service.

Amazon Detective consumption of AWS security findings is priced based on the volume of findings processed and analyzed by Amazon Detective. Amazon Detective provides a free 30-day trial to all customers that enable AWS security findings, allowing customers to ensure that Amazon Detective capabilities meet their security needs and to get an estimate of the service’s monthly cost before committing to paid usage.

No, Amazon Detective will only charge once for findings sent from each service. 

Amazon Detective for Amazon Security Lake

After integrating the two services, Amazon Detective can query and retrieve AWS CloudTrail logs and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs from Amazon Security Lake for your security investigations. You can use this integration to start your investigations in Amazon Detective and preview or download specific AWS CloudTrail logs or Amazon VPC Flow Logs if you need additional details stored in the logs. For example, if you’re investigating suspicious activity from an IAM user for the past 24 hours, you can use Amazon Detective to get a summary of services the IAM user interacted with under API method panel. If you observe interactions with services that represent a potential security issue like API calls to describe roles, you can download AWS CloudTrail logs for that IAM user. Amazon Detective will provide a pre-built SQL query using Amazon Athena scoped to the time and entity (the past 24 hours for the IAM user) under investigation, making your query and log retrieval easier. This integration helps save you time by eliminating the need to craft the SQL query from scratch, and you can preview and download the results without having to leave the Amazon Detective console.

To enable the integration between the two services, you will need to run an Amazon CloudFormation template. This template creates a subscriber account with sufficient permissions to query and consume logs from Amazon Security Lake and deploys additional AWS services in your account used to query and download logs. You can review what the Amazon CloudFormation template deploys in the Amazon Detective User Guide.

You will be charged for each service according to Amazon Detective pricing and Amazon Security Lake pricing. Additionally, you will incur charges for each query using Amazon Athena, and there will be charges for the additional AWS services deployed in your account to support the integration. You can use the AWS pricing calculator to estimate the total cost for integrating the two services.

Yes. You will need to run the Amazon CloudFormation template in each AWS Region where you want to integrate Amazon Detective with Amazon Security Lake. 

Amazon Detective for Amazon Elastic Kubernetes Service (Amazon EKS)

Amazon Detective for Amazon Elastic Kubernetes Service (Amazon EKS)

Once enabled, Amazon Detective automatically and continuously analyzes and correlates user, network, and configuration activity across your Amazon EKS workloads. Amazon Detective automatically ingests Amazon EKS audit logs and correlates user activities with AWS CloudTrail Management events and network activity with Amazon VPC Flow Logs without the need for you to enable or store these logs manually. The service extracts key security information from these logs and retains them in a security behavioral graph database that enables fast cross-referenced access to twelve months of activity. Amazon Detective provides a data analysis and visualization layer to help you answer common security questions backed by a behavioral graph database that allows you to more quickly investigate potential malicious behavior associated with your Amazon EKS  workloads.

By default, Amazon EKS audit logging is enabled as data source for accounts using Detective. You may need to enable this data source if you were using Detective before support for EKS audit logs was released. You can follow the steps listed in Amazon EKS audit logs for Detective from the Administrative Guide to confirm data sources for Detective. This data source should be enabled for each region where you plan to use Detective.

Amazon Detective's consumption of Amazon EKS audit logs is designed to not affect the performance of your Amazon EKS workloads, as Amazon Detective consumes the audit logs using independent and duplicative audit log streams. In this manner, Amazon Detective's consumption of your Amazon EKS audit logs will not increase your costs for using Amazon EKS.

Amazon Detective's consumption of Amazon EKS audit logs is priced based on the volume of audit logs processed and analyzed by Amazon Detective. Amazon Detective provides a free 30-day trial to all customers that enable Amazon EKS coverage, allowing customers to ensure that Amazon Detective’s capabilities meet their security needs and to get an estimate of the service’s monthly cost before committing to paid usage.

Currently this capability supports Amazon EKS deployments running on EC2 instances in your AWS account. Detective also provides support for Amazon GuardDuty EKS Runtime Monitoring and ECS Runtime monitoring (which includes monitoring for Amazon ECS on Fargate). This capability does not provide visibility into non-managed Kubernetes on EC2 or ES anywhere.