Amazon Detective Investigation
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Amazon Detective Investigation: A Comprehensive Guide
Introduction: The Challenge of Modern Security Investigations
In the landscape of cloud security, the sheer volume of data generated by services like AWS CloudTrail, Amazon VPC Flow Logs, and Amazon GuardDuty can be overwhelming. When a security alert triggers, the primary challenge is not a lack of information, but the difficulty of connecting disparate data points to form a coherent narrative. Security analysts often find themselves manually correlating IP addresses, IAM user activities, and resource modifications across multiple logs, a process that is time-consuming and prone to human error.
Amazon Detective is designed to solve this specific problem. It is a service that automatically collects log data from your AWS environment and uses machine learning, statistical analysis, and graph theory to build a linked set of data that makes it easy to conduct investigations. Instead of forcing an analyst to perform complex queries across raw log files, Detective provides a pre-built, visual representation of resource interactions. By understanding the "who, what, when, and where" of a security event through a graphical interface, teams can reduce their mean time to resolution (MTTR) significantly.
This lesson explores how to use Amazon Detective to investigate security findings effectively. We will move beyond the basic interface to understand how to leverage graph-based analysis, how to interpret findings, and how to integrate Detective into your broader incident response automation workflows. Whether you are a security engineer or a cloud architect, mastering Detective is essential for maintaining visibility in complex, multi-account AWS environments.
Understanding the Architecture of Amazon Detective
To effectively use Amazon Detective, you must first understand how it processes data. Unlike tools that perform "on-demand" queries, Detective operates as a continuous data ingestion engine. It ingest data from three primary sources: Amazon GuardDuty findings, AWS CloudTrail management events, and Amazon VPC Flow Logs.
Once this data is ingested, Detective builds a graph model. In this model, AWS resources—such as IAM roles, IP addresses, EC2 instances, and User Agents—are represented as "nodes," while the interactions between them are represented as "edges." For example, if an IAM role makes an API call from a specific IP address, Detective creates a link between that role node and the IP address node. This graph structure allows you to query relationships that would be nearly impossible to identify using standard SQL-like log analysis tools.
Callout: The Power of Graph Databases in Security Traditional log management systems rely on relational databases or indexing engines. While excellent for searching strings, they struggle with "multi-hop" queries—for example, "Find all roles that accessed this S3 bucket, then find all IPs those roles used, then find all other resources those IPs touched." Amazon Detective is purpose-built for these traversals, making it a graph-based security intelligence tool rather than just a log viewer.
Key Components of the Detective Graph
- Entities: These are the primary objects within your environment, including IAM users, IAM roles, IP addresses, EC2 instances, and AWS accounts.
- Interactions: These represent the traffic or API calls between entities. Detective tracks the frequency, duration, and volume of these interactions to establish baselines of normal behavior.
- Behavioral Graphs: The underlying data structure that connects entities based on their historical activity, allowing you to see how a threat actor moved laterally through your environment.
Setting Up and Configuring Amazon Detective
Before you can begin an investigation, you must ensure that Detective is properly configured. In a multi-account environment, this involves setting up a delegated administrator account. This account will act as the central hub for all security investigations, collecting data from member accounts across your organization.
Step-by-Step: Enabling Detective in an AWS Organization
- Select the Administrator: Choose a dedicated security account within your AWS Organization to be the Detective administrator.
- Enable Detective in the Admin Account: Navigate to the Detective console in the AWS Management Console and select "Get started."
- Enable Member Accounts: Use the AWS Organizations integration to automatically enable Detective for all accounts in your organization. This ensures that as new accounts are created, they are automatically enrolled in your security monitoring.
- Verify Data Ingestion: Once enabled, wait for the initial data ingestion period (usually 24-48 hours) to ensure the graph has enough historical context to be useful.
Note: Amazon Detective does not store the original logs. It stores the summarized, graph-based representation of the data. If you need to perform a deep forensic analysis on the raw packet headers or specific payload content, you should still maintain your original S3 buckets containing CloudTrail and VPC Flow Logs.
Conducting an Investigation: A Practical Workflow
When an alert arrives, the investigation process should follow a structured path. Let us assume you have received a GuardDuty finding indicating "Unauthorized Access:IAMUser/AnomalousBehavior." Here is how you use Detective to investigate.
Phase 1: Initial Triage
Open the GuardDuty finding and click on the "Investigate with Detective" link. This will automatically redirect you to the Detective console, centered on the entity involved in the finding. You will be presented with a profile page for the IAM user in question.
Phase 2: Analyzing Resource Behavior
On the entity profile page, look for the "Behavioral Graph" section. Check for the following:
- New API Calls: Has this user recently started making API calls they have never made before?
- Geographic Shifts: Is the user connecting from a location (IP address or country) that is inconsistent with their typical activity?
- User Agent Anomalies: Is the user connecting via a tool that deviates from the standard AWS CLI or Console user agents?
Phase 3: Lateral Movement Detection
If the IAM user is associated with an EC2 instance, navigate to the instance profile. Check the "VPC Flow Log" interactions. Are there spikes in data transfer to an external, unknown IP address? Does the instance have an IAM role that allows it to interact with sensitive S3 buckets or DynamoDB tables?
Warning: Be cautious when investigating "anomalous" behavior. Sometimes, a legitimate deployment script or a new developer on the team can trigger findings. Always cross-reference the Detective findings with your team’s CI/CD pipeline logs or internal communication channels (like Slack/Jira) before taking drastic actions like disabling an IAM user.
Advanced Investigation Techniques: Using Detective for Threat Hunting
Detective is not just for reacting to alerts; it is a powerful tool for proactive threat hunting. You can start an investigation by searching for a specific IP address associated with a known malicious actor (e.g., from a threat intelligence feed) to see if that IP has interacted with any of your resources.
Example: Searching for Indicators of Compromise (IoC)
- Search for the IP: Enter the malicious IP address into the Detective search bar.
- Examine Interactions: Look at the "Associated Resources" section. Did the IP address attempt to authenticate via the AWS Management Console? Did it attempt to download data from an S3 bucket?
- Identify Pivots: If the IP interacted with an EC2 instance, pivot to that instance’s profile. From there, see what other IAM roles accessed that instance or what other instances that role interacted with.
Comparison: Detective vs. CloudWatch Logs Insights
| Feature | Amazon Detective | CloudWatch Logs Insights |
|---|---|---|
| Primary Use | Relationship analysis and entity behavior | Keyword searching and log aggregation |
| Data Format | Graph-based (Nodes and Edges) | Time-series log records |
| Ease of Use | High (Visual interface) | Medium (Requires SQL-like syntax) |
| Context | Automatically links resources | Requires manual joining of streams |
Automation and Integration
While the Detective UI is excellent for manual investigation, you can enhance your workflow by integrating it with other AWS services. Using AWS Step Functions or Lambda, you can create a "Security Investigation Package."
When a high-severity GuardDuty finding occurs:
- Trigger: A Lambda function is triggered by an EventBridge rule.
- Context Gathering: The Lambda function queries the Detective API to pull a summary of the entity involved.
- Enrichment: The summary is posted to a security dashboard or a Slack channel for the on-call engineer.
- Action: The engineer is provided with a direct link to the Detective investigation page, already populated with the relevant entity context.
Code Example: Fetching Detective Findings via SDK
This Python example demonstrates how to retrieve investigation results for a specific entity using the Boto3 library.
import boto3
# Initialize the Detective client
detective = boto3.client('detective')
def get_entity_details(graph_arn, entity_arn):
"""
Retrieves details about an entity in the graph.
"""
try:
response = detective.get_entity_details(
GraphArn=graph_arn,
EntityArn=entity_arn
)
return response['EntityDetails']
except Exception as e:
print(f"Error fetching entity details: {e}")
return None
# Example Usage
graph_arn = "arn:aws:detective:us-east-1:123456789012:graph:a1b2c3d4..."
entity_arn = "arn:aws:iam::123456789012:user/suspicious-user"
details = get_entity_details(graph_arn, entity_arn)
print(details)
Explanation of the Code:
- Client Initialization: We use
boto3.client('detective')to connect to the service. - Graph ARN: This is the unique identifier for your Detective graph. You can find this in the Detective settings page.
- Entity ARN: The specific resource (IAM, EC2, etc.) you are investigating.
- Function Logic: The
get_entity_detailsfunction encapsulates the API call, allowing you to easily integrate this into your automated alerting pipeline.
Best Practices for Security Investigations
To get the most out of Amazon Detective, you should adopt a rigorous approach to how you handle security findings.
1. Maintain Clean Identity Hygiene
Detective is highly effective at tracking IAM roles. If your environment has thousands of "orphan" roles that are never used, Detective will show messy, cluttered graphs. Regularly audit and delete unused IAM roles to ensure that when a suspicious role appears in Detective, it stands out immediately.
2. Leverage Consistent Tagging
Detective allows you to filter and view resources based on tags. If your EC2 instances are tagged with Environment: Production or Owner: TeamA, you can quickly narrow down your investigation to specific segments of your infrastructure. This prevents "investigation fatigue" where you are looking at too much noise.
3. Establish a Baseline
Spend time in Detective when there are no alerts. Learn what your "normal" traffic looks like. What do your production servers usually talk to? Which IP ranges are common? By establishing this baseline in your mind, you will intuitively recognize when a graph looks "wrong."
4. Cross-Account Visibility is Mandatory
Do not limit Detective to a single account. Security threats rarely stay contained within the account where they started. Ensure your Detective administrator account has permissions to pull data from every account in your AWS Organization.
Common Pitfalls and How to Avoid Them
Even experienced security teams fall into traps when using Detective. Being aware of these will save you significant time.
Pitfall 1: Relying Solely on Automated Findings
Detective is a tool, not a decision-maker. It will show you that a user accessed a resource, but it cannot tell you if that access was authorized by your internal business logic. Always combine Detective findings with your internal knowledge of your application’s architecture.
Pitfall 2: Ignoring the "Time Window"
Detective displays data over a specific time range. If you are investigating an incident that happened three weeks ago, ensure you have adjusted the time picker in the console. Often, analysts miss the root cause because they are looking at the current state rather than the state at the time of the incident.
Pitfall 3: Not Checking User Agent Strings
Analysts often focus on IP addresses and assume a static IP is "safe." However, sophisticated attackers use compromised legitimate VPNs or proxy services. Always check the "User Agent" field in the entity profile; if a developer’s IAM role is suddenly being used by a python-requests library instead of their usual aws-cli or browser agent, that is a massive red flag, regardless of the IP address.
Callout: The "Pivot" Mindset The most important skill in Detective is the "pivot." Never stop at the first entity. If you see a suspicious IP, pivot to the IAM role. If you see a suspicious IAM role, pivot to the EC2 instance. If you see a suspicious EC2 instance, pivot to the VPC Flow Logs. The "story" of the hack is almost always found in the connections, not the nodes themselves.
Troubleshooting Detective Configurations
If you find that data is missing or incomplete, follow this checklist:
- Check Data Source Status: Navigate to the Detective settings page and ensure that GuardDuty, CloudTrail, and VPC Flow Logs are all showing a "Healthy" status.
- Verify IAM Permissions: Ensure your local user or role has the
AmazonDetectiveFullAccessor equivalent permissions. - Check Regional Availability: Detective is a regional service. If you are investigating an incident in
us-west-2, ensure your Detective graph is configured for that region. Data does not automatically replicate across regions in the Detective graph. - Wait for Ingestion: If you just added a new member account, it can take up to 48 hours for the full historical graph to be built.
Summary and Key Takeaways
Amazon Detective transforms the arduous task of log analysis into a visual, relationship-based exploration. By using graph theory to link entities, it removes the guesswork from incident response and allows security teams to focus on the "why" and "how" of a security event.
Key Takeaways:
- Graph-Based Intelligence: Detective is superior to traditional log search because it maps relationships between AWS resources, allowing for rapid identification of lateral movement.
- Continuous Data Collection: It works as an automated ingestion engine, meaning you do not need to manually run queries to see the history of an entity.
- Multi-Account Strategy: Always deploy Detective via a delegated administrator in an AWS Organization to ensure total visibility across your environment.
- The Art of the Pivot: Effective investigation relies on moving between related entities (IP to User, User to Resource, Resource to Network).
- Proactive Hunting: Don't wait for a GuardDuty finding. Use Detective to proactively verify the behavior of sensitive resources and high-privilege IAM roles.
- Integration is Key: Automate the gathering of Detective context using the AWS SDK to provide your incident response team with immediate, actionable data.
- Baseline Awareness: Spend time exploring your infrastructure in "peacetime" to understand what normal traffic and resource interactions look like for your specific workload.
By mastering the techniques outlined in this lesson, you will be well-equipped to handle the complex security investigations that are inevitable in modern cloud environments. Remember, the goal is not just to find the logs, but to understand the story they tell. Detective is your best tool for reading that story.
Frequently Asked Questions (FAQ)
Q: Does Amazon Detective charge based on the number of findings? A: No, Detective pricing is based on the volume of data ingested from CloudTrail, VPC Flow Logs, and GuardDuty findings. You pay for the amount of data processed and stored in the graph.
Q: Can I use Amazon Detective for on-premises servers? A: No, Amazon Detective is designed specifically for AWS resources and logs. It does not ingest data from on-premises servers or non-AWS cloud providers.
Q: If I delete an IAM user, does it disappear from the Detective graph? A: No, Detective retains the historical data for the entity. Even if a resource is deleted, you can still view its past interactions, which is crucial for forensic investigations after an attacker has cleaned up their tracks.
Q: Is there a limit to how far back I can search in Detective? A: Detective typically keeps data for up to a year. This provides a substantial window for long-term forensic investigations, which is often sufficient for most compliance and security requirements.
Q: Can I customize the graph? A: You cannot manually add nodes or edges to the graph. The graph is automatically generated by Detective based on the ingested logs. However, you can use filters and search to navigate the graph in ways that fit your investigation needs.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons