AWS

Utilizing Amazon Detective for Security Investigations

Omar Tarek

4 min read
Utilizing Amazon Detective for Security Investigations

Amazon Detective is a highly effective AWS service developed with a lot of care and accuracy to provide a solution that would enable you to investigate and analyze security issues and other anomalies in your AWS environment efficiently. This blog post will answer eight common questions related to what Amazon Detective is, the features it provides, fees, pros and cons of using it, whether it can be applied in practice for cloud and on-premises services, and whether agents are needed.

Q1: What are the Features of Amazon Detective?

  1. Automated Data Collection: Amazon Detective uses AWS CloudTrail logs, VPC Flow Logs, and Amazon GuardDuty findings; thus, no setup is needed.
  2. Graphical Visualization: The service also gives you a view of your data so that you can see the relationships in the data and also see the trends and outliers.
  3. Interactive Investigation: It enables you to track leads from one data source to another and examine the data in a tree structure to identify where security issues originate from.
  4. Seamless Integration: Amazon Detective is integrated with other AWS security services such as AWS Security Hub, AWS Config, and AWS IAM Access Analyzer.

Q2: What are the Fees I expect when using Amazon Detective?

After the first 30 day free trial, Amazon Detective fees will depend on the ingested and analyzed data. This pricing model incorporates the following:

    1. Ingestion Charges: The cost of ingesting data from AWS CloudTrail, VPC Flow Logs, and GuardDuty findings are based on the volume of data.
    2. Analysis Charges: These are based on the ingested and used data volume.

As of today's blog date, AWS announced the following as a pricing plan:

  • Ingested logs:
    • First 0-1,000 GB: $2.00/GB 
    • Next 4,000 GB (up to 5,000 GB): $1.00/GB
    • Next 5,000 GB (up to 10,000 GB): $0.50/GB
    • Over 10,000 GB: $0.25/GB

I have attached an example for the US East Region below. However, If you would like more information, you can visit the Amazon Detective pricing page.

Example: Data Ingested from AWS CloudTrail, Amazon VPC Flow Logs, Amazon GuardDuty (Per Account, Per Region)

Q3: What are the Pros and Cons of Amazon Detective?

  1. Pros:
    1. Full Visibility: Detailed visibility into activity logs and security findings with AWS.
    2. Ease of Use: Very user-friendly but has advanced data visualization features.
    3. Seamlessly Integrates with AWS Ecosystem: works seamlessly with AWS security services for a holistic security posture.
    4. It could be integrated with Amazon Security Hub, which will help aggregate and prioritize different findings, thus making the incident response more effective.
  2. Cons:
    1. Cost: It can be costly for environments with much data under observation.
    2. AWS-Specific: This is designed mainly for AWS environments and cannot be used on other non-AWS infrastructures.

Q4: How can I Turn On Amazon Detective:

    1. You can go to the AWS Management Console.
    2. Search and Open Amazon Detective.
    3. From there, turn Amazon Detective on and follow the setup wizard for your AWS account. Make sure to attach Policy from IAM to admin accounts.

For illustration purposes, check the attached picture below:  

Q5: What data sources are needed to utilize the full features of Amazon Detective?

You may need to confirm that AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty are enabled and properly configured to deliver data to Amazon Detective.

Q6: How to Start Investigations?

Use the Amazon Detective console to start investigations as shown in the screenshot below. It will deliver visualizations and detailed data to investigate and understand the security events.

Q7: Does Amazon Detective support on-premises infrastructure?

Amazon Detective is operable within an AWS environment. It doesn't provide direct support for any on-premises infrastructure, but you can integrate it into hybrid architectures by ensuring relevant data is available within your AWS environment.

Q8: To use Amazon Detective, Do I need to install any agents?

Amazon Detective doesn't need agents installed on your resources. It uses existing AWS services (CloudTrail, VPC Flow Logs, and GuardDuty) to collect and analyze the data, which makes deployment easy and gives minimal overhead.

Final Thoughts

Amazon Detective is one of Amazon's security investigation services. It can automate data collection and develop visualizations with interactive investigation capabilities. Integrated with other AWS security services, it enables a provider to provide a robust security framework to help him effectively identify, investigate, and mitigate threats. Although it is designed for an AWS environment, the features and integrations are meant to make it a crucial component within a secure cloud infrastructure.