Table of Contents
Robust infrastructure with lesser cost is the aim of millions of people, start-ups, large organizations, including government agencies. Considering the growth and complexity of data and applications organizations often face the issues on data protection and ease of access for their clients. Public cloud providers like Amazon provide tools to identify security concerns and help in finding issues and fix them.
Sometimes we need something more than this to address and fix the root cause of a problem which may involve combining and analysing log data from various sources and a security analyser can start the investigation.
In today’s topic we will learn about AWS detective, how to enable AWS detective, how AWS detective works and its key features.
About Amazon Detective
Amazon detective helps security teams to identify the root cause of an issue. It enables ease of analysis, investigation and quick detection of root cause for a suspicious activity. It collects multiple logs from different services from Amazon cloud.
- Virtual private cloud (VPC) flow logs – flow log is a VPC built in support mechanism to detect how network resources are flowing in/ out of VPC.
- AWS CloudTrail – is a ‘management and governance interface’ in the console. It captures all API calls made to other resources in an account and maintains a log
- Amazon GuardDuty – is AWS managed monitoring service for cloud security and enables threat detection and prevention based on their behaviour.
Related: Security Guardrails in AWS Cloud
How to Enable Amazon Detective
To enable amazon detection login to management console and navigate to detective console. Click on get started. Look at the information provided in the enable Amazon detection page.
- There will be a ‘Master account’ and ‘member account’ and Master account is aligned between GuardDuty and Security hub components. The master can include other accounts to be member accounts for ‘behaviour graph’.
- One ‘behaviour graph’ have only one Master account per region and account can be ‘Master account’ for different regions
- Assign an IAM policy to enable detective mode and manage behaviour graph
- Post enablement of detective, we can add member accounts to behaviour graph
Amazon detective is enabled in AWS management console and presently it is made available in five regions – US East (Ohio), US East (Virginia), US West (Oregon), Asia Pacific (Tokyo) and Europe (Ireland).
How it works?
Amazon detective collects the events such as login attempts, API calls and network traffic flow VPC logs. If a customer is enabled GuardDuty Amazon detective will keep away findings of GuardDuty.
It uses machine learning (ML) and visualization to have an integrated and interactive view of resource behaviour over a time period.
It investigates activities and identifies the patterns which may indicate underlying security issues. Some security issues may require deeper dive to analyse the effect of malicious activities. If AWS GuardDuty detects this kind of issue it will go to the detective to quickly determine the root cause of the issue.
Flow of Investigation
Let’s look at the flow of investigation in Amazon detective more in detail as depicted in figure 2.
Phase 1: An analyst looking at findings of GuardDuty or security hub can choose those findings in detective and then use the detective search function to select a finding to triage
Phase 2: Finding profiles have virtualization capabilities. Behaviour graph generates these visualizations from logs which are collected by detective and other data.
Phase 3: Once an issue is detected and it is identified that – it is true or false positive, the analyst can update the original device stats.