Amazon Detective for Investigation
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Amazon Detective: Deep Dive into Investigation and Analysis
Introduction: The Challenge of Modern Threat Investigation
In the modern cloud environment, security teams are often overwhelmed by a deluge of alerts. When a security tool like Amazon GuardDuty flags a suspicious event—perhaps an unusual API call from an unknown IP address or a potential credential compromise—the immediate question is not "is this an alert?" but rather "how far did this go, and what was the impact?" Manually stitching together disparate logs from AWS CloudTrail, VPC Flow Logs, and GuardDuty findings is a time-consuming, error-prone process that often delays incident response when speed matters most.
Amazon Detective is designed to solve this exact problem. It is a managed service that automatically collects log data from your AWS environment and uses machine learning, statistical analysis, and graph theory to build a linked set of data that you can easily navigate. Instead of sifting through raw JSON log files, security analysts use Detective to visualize relationships between entities—such as IP addresses, IAM users, EC2 instances, and roles—to understand the "blast radius" of a security incident. This lesson explores how to implement, use, and optimize Amazon Detective to transform your incident response capabilities.
Understanding the Core Architecture of Amazon Detective
To understand why Amazon Detective is effective, we must look at how it processes data. Detective does not simply store logs in a searchable database; it constructs a behavioral graph. A graph database is uniquely suited for security because it excels at showing connections. If an IAM user performs an action, the graph shows the user, the action, the resource affected, and the source IP address as connected nodes.
When you enable Detective, it begins ingesting data from three primary sources:
- AWS CloudTrail: This provides the history of API calls and management events within your account. It tells you who did what and when.
- VPC Flow Logs: These provide information about the IP traffic going to and from network interfaces in your VPC. They are essential for identifying lateral movement or communication with known malicious command-and-control servers.
- Amazon GuardDuty Findings: These are the trigger points. Detective ingests these findings to provide context, allowing you to pivot from a specific alert directly into the behavioral graph associated with the entities involved in that alert.
Callout: Graph Databases vs. Traditional Log Aggregation Traditional log aggregation tools (like SIEMs) rely on indexing text logs. While they are great for keyword searching, they struggle to visualize complex, multi-stage attack chains. Amazon Detective uses a graph model, which stores the relationships between entities as first-class citizens. This allows an analyst to perform "graph traversal"—moving from an IP address to the IAM role that used it, then to the EC2 instance where that role was assumed, and finally to the S3 bucket that was accessed—all through a visual interface.
Setting Up and Configuring Amazon Detective
Setting up Amazon Detective is relatively straightforward, but it requires careful planning regarding account structure and data ingestion. In a multi-account AWS environment, you should use the AWS Organizations integration to designate a delegated administrator account for security.
Step-by-Step Implementation
- Identify the Security Account: Choose a dedicated security account to act as the administrator for Detective. This ensures that security analysts have a centralized place to investigate findings across the entire organization.
- Enable Detective in the Administrator Account: Navigate to the AWS Console, search for "Detective," and click "Get Started." You will be prompted to enable the service.
- Configure Member Accounts: Once the administrator account is set up, use the "Accounts" tab to invite the other accounts in your organization. If you are using AWS Organizations, you can enable auto-enablement, which ensures that any new account added to your organization is automatically configured for Detective.
- Data Ingestion Verification: Detective begins processing historical data immediately upon enablement. Note that it may take a few hours for the full graph to populate, as the service needs time to build the relationships from the ingested log history.
Note: Amazon Detective does not store the original raw logs. It processes them to create the behavioral graph and then discards the raw logs after a period. If you need to retain raw logs for compliance or forensic auditing, you must continue to store them in an S3 bucket with appropriate lifecycle policies.
Investigating Incidents: The Analyst Workflow
Once Detective is populated with data, the real work begins. An investigation typically starts with a GuardDuty finding. For example, imagine GuardDuty flags a "UnauthorizedAccess:IAMUser/MaliciousIPCaller" finding.
The Investigation Process:
- Start at the Finding: Click on the finding in the GuardDuty console and select "Investigate with Detective." This takes you directly to the entity profile in Detective associated with that finding.
- Review the Entity Profile: You will land on an "Entity Profile" page. If the entity is an IAM user, you will see a timeline of their API activity. Look for spikes in activity or calls that deviate from the user's historical baseline.
- Identify Anomalies: Detective highlights unusual behavior. For instance, if a user typically logs in from an office IP range and suddenly logs in from a foreign data center, Detective will mark this as an anomaly.
- Pivot to Related Entities: From the user profile, you can click on the source IP address. This will take you to the "IP Address Profile." Here, you can see if other IAM users or roles have interacted with that same IP address, which might indicate a broader credential compromise.
- Trace Lateral Movement: Use the VPC Flow Log data within the IP profile to see if the IP address is communicating with other internal resources. If the IP is communicating with an EC2 instance, you can pivot to the instance profile to see what other processes or roles are active on that machine.
Practical Example: Detecting Credential Compromise
Suppose you receive an alert about "IAMUser/AnomalousBehavior." Upon opening the Detective profile for that user, you notice that the user has performed s3:ListBucket on a bucket they have never accessed before. You also see that the API calls originated from an IP address that has been flagged in other findings. By clicking on the IP address, you see that it was also used by a different IAM user to perform ec2:DescribeInstances. This connection strongly suggests that a set of credentials has been leaked and is being used to conduct reconnaissance across your environment.
Using the Amazon Detective API for Automation
While the web console is excellent for interactive investigation, you can also interact with Amazon Detective via the AWS CLI or SDKs. This is useful for integrating Detective into your automated incident response playbooks. For example, you might have a Lambda function that triggers when a high-severity GuardDuty alert occurs, which then queries Detective to gather context and posts it to a Slack channel for the on-call engineer.
Example: Querying Detective via AWS CLI
To get information about an entity using the CLI, you must first have the ARN of the graph and the specific entity.
# Example: Get details for an IAM user profile
aws detective get-members \
--graph-arn arn:aws:detective:us-east-1:123456789012:graph:abc123def456 \
--account-ids 123456789012
Warning: Be cautious when building automation that relies on Detective. Because Detective is a high-level analytical tool, it is not designed for real-time, low-latency alerting. Do not use it as a replacement for GuardDuty. Use GuardDuty for real-time detection and Detective for the subsequent "deep dive" investigation.
Best Practices for Effective Threat Hunting
To get the most out of Amazon Detective, you need to move beyond reactive investigation and adopt a proactive threat hunting mindset.
1. Establish Baselines
Spend time in the console when there are no active incidents. Look at the profiles of your most privileged IAM users and your most sensitive EC2 instances. Understanding what "normal" looks like is the only way to quickly spot what is "abnormal" during a crisis.
2. Leverage Managed Policies
Ensure that your IAM roles have the minimum necessary permissions. Detective will show you if a user is using permissions that they have not used before. If you see a user suddenly using iam:CreateAccessKey when they have never done so, that is a high-fidelity signal that warrants immediate investigation.
3. Integrate with SIEM/SOAR
While Detective is a powerful tool, it shouldn't exist in a vacuum. Ensure that your security team is aware of how to pivot from your primary SIEM (like Splunk or Sentinel) into Detective. You can often include the Detective URL in your ticket system so that responders can click directly into the investigation view.
4. Monitor for "Quiet" Attacks
Not all attacks are noisy. Some involve a single, targeted API call to extract sensitive data. Use Detective's timeline features to look for low-frequency events that might be missed by traditional threshold-based alerts.
Common Pitfalls and How to Avoid Them
Even with a powerful tool like Detective, security teams often fall into traps that limit the tool's effectiveness.
- Ignoring the "Blast Radius": A common mistake is stopping the investigation once the initial malicious activity is found. Always check if the compromised entity interacted with other resources. If an IAM role was compromised, look at every single resource that role had access to, not just the one that triggered the alert.
- Assuming Detective is a SIEM: Detective is not a log storage solution. If you need to perform complex regex searches across terabytes of raw logs, Detective is not the right tool. Use Amazon Athena or OpenSearch for that. Use Detective for visualizing relationships and behavioral patterns.
- Incomplete Account Coverage: If you have 50 accounts in your organization but only enable Detective for 10 of them, you have massive blind spots. An attacker will almost always move laterally into the accounts that are least monitored. Ensure that all accounts, especially those in production environments, are part of your Detective graph.
- Underestimating the Learning Curve: The power of a graph database is that it allows for complex queries, but it requires the analyst to understand how entities connect. Invest time in training your team on how to read the visual graphs and what the different icons and edges represent.
Comparative Analysis: Detective vs. Other AWS Security Tools
Understanding where Detective fits in the AWS security ecosystem is critical for efficient resource management.
| Feature | Amazon GuardDuty | Amazon Detective | AWS CloudTrail |
|---|---|---|---|
| Primary Purpose | Real-time threat detection | Incident investigation | Audit logging |
| Data Source | Logs, VPC, DNS, S3 | GuardDuty, CloudTrail, VPC | API logs |
| Output | Alerts/Findings | Visual graphs/Relationships | Raw JSON logs |
| Latency | Near real-time | Near real-time (graph updates) | Near real-time |
| User Goal | "Is something bad happening?" | "What happened and what is affected?" | "Who did this specific action?" |
Callout: Why not just use CloudTrail? CloudTrail is essential, but it is effectively a massive, linear list of text files. If you have an environment with hundreds of users, those files are millions of lines long. Finding a single "needle in the haystack" requires complex filtering and a deep understanding of the API structure. Detective abstracts this by organizing the data into a navigable map, allowing you to see the "story" of an incident rather than just reading the raw logs.
Advanced Investigation Techniques
Once you have mastered the basics, you can start using Detective to uncover more sophisticated patterns.
Analyzing Lateral Movement
Lateral movement is the process by which an attacker moves from an initial entry point to a higher-value target. In Detective, you can spot this by looking at the "VPC Flow Logs" tab on an EC2 instance profile. If an instance is suddenly communicating with other instances on ports like 22 (SSH) or 3389 (RDP) that it never communicated with before, you are likely looking at an internal reconnaissance phase of an attack.
Detecting Data Exfiltration
Data exfiltration often involves large volumes of data being moved out of your environment. While Detective isn't a network traffic analyzer, the VPC Flow Logs data can show you the volume of data transferred between an internal resource and an external IP address. If you see a spike in outbound traffic from a database-connected instance to an unknown external IP, you should immediately investigate the IAM role associated with that instance.
Investigating Credential Stuffing
If you see a surge in failed login attempts followed by a successful login from a new IP, this is a classic sign of credential stuffing. In Detective, you can pivot from the IAM user to the IP address to see if that same IP address has been attempting to log into other users in your account. This confirms that the attacker is systematically testing credentials across your organization.
Maintaining the Health of Your Detective Environment
Detective requires little maintenance, but there are a few operational tasks to keep in mind:
- Review Ingestion Status: Periodically check the Detective console to ensure that all member accounts are still successfully sending data. If an account stops sending logs, your graph will become fragmented, and you will lose visibility.
- Account Offboarding: When you decommission an AWS account, ensure you remove it from the Detective administrator's list of accounts. This keeps your billing clean and ensures your security dashboards remain accurate.
- Data Retention: While Detective retains data for up to a year, ensure your internal compliance requirements are met. If your policy requires 7 years of data retention, you must ensure that your raw CloudTrail and VPC Flow Logs are archived in S3 with S3 Glacier storage classes.
- Cost Management: Detective is priced based on the volume of data ingested. Monitor your bill to ensure you aren't ingesting unnecessary logs. For example, if you have high-volume VPC flow logs from a non-critical environment, you might consider excluding those accounts from Detective if the cost outweighs the security benefit.
Addressing Common Questions (FAQ)
Q: Does Amazon Detective replace the need for SIEM? A: Not necessarily. Detective is a specialized tool for incident investigation. A SIEM is typically used for broader compliance reporting, long-term log retention, and correlation of logs from non-AWS sources (like on-premises servers or SaaS applications). Most mature organizations use both.
Q: Can I see the raw logs inside Detective? A: No. Detective provides summary data and visualizations. If you need the exact raw log, you should use the link provided in the finding to go to the CloudTrail or S3 location where the original log is stored.
Q: How does Detective handle sensitive data in logs? A: Detective does not store the content of the logs in a way that is readable as raw text. It processes the logs to extract entity relationships. However, you should still ensure that your logs do not contain sensitive PII or secrets by using tools like Amazon Macie to scan your S3 buckets.
Q: Is there a limit to how much data I can ingest? A: There are no hard limits on the volume of data, but the service is designed to scale with your usage. The primary constraint is cost.
Key Takeaways for Security Professionals
- Prioritize Visibility: You cannot secure what you cannot see. Amazon Detective provides the necessary visibility into the relationships between your cloud entities, which is essential for modern incident response.
- Focus on Relationships: Shift your mindset from "searching for keywords" to "tracing relationships." The ability to follow a path from an alert to a compromised resource is the fastest way to contain an incident.
- Automate the Pivot: Use APIs and integrations to make the transition from alert to investigation as seamless as possible. Every second saved during the initial triage phase reduces the potential impact of a breach.
- Proactive Baselines: Don't wait for an alert to open Detective. Use the tool to understand your environment's normal behavior so that anomalies stand out immediately when they occur.
- Multi-Account Strategy: Always use AWS Organizations to centralize Detective management. Fragmented security visibility is the most common cause of delayed incident response in large environments.
- Complementary Tooling: Remember that Detective is part of a larger ecosystem. It works best when paired with GuardDuty for detection, CloudTrail for audit, and a SIEM for long-term compliance and correlation.
- Continuous Improvement: Threat hunting is an iterative process. Use the insights you gain from each investigation in Detective to update your IAM policies, security groups, and GuardDuty detection rules to prevent similar incidents in the future.
By integrating Amazon Detective into your security workflow, you move away from the frustration of manual log analysis and toward a structured, evidence-based approach to incident response. This not only improves your security posture but also reduces the stress and burnout often associated with managing complex cloud environments. Take the time to build your graphs, understand your entity relationships, and refine your investigation playbooks—your future self will thank you when the next security incident occurs.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons