Introducing Amazon Detective

Derek Wicks 30th December 2020

I recently attended (in a virtual sense) the AWS Re:Invent conference and saw an interesting on Amazon Detective. The talk was by Keith Gilbert a Senior Security Engineer at Amazon.

It is a powerful new item in AWS’s suite of tools for helping to ensure the security of your AWS infrastructure.

It is primarily focused on helping to investigate any breaches of security in order to figure out which route the attacker used to get into the infrastructure and what they were able to access.

Amazon Detective collects and analyses data from Cloudtrail, VPC flow logs and GuardDuty.

As a quick aside, Amazon GuardDuty is a threat detection service that raises events on potentially suspicious activity.

Common questions that can be answered easily with Amazon Detective are:-

· Has this IP address ever communicated with any of my infrastructure?

· When?

· How much data was exchanged?

· What users or identities did this IP address log in as?

· What roles did this user assume?

· What users assumed this role?

· What did user X do while role Y?

· Were user X requests to do something successful or not?

Hopefully you can see how answering the above questions can go a long way to figuring out what the attacker did while within the AWS infrastructure.

When examining Detective pages in AWS, you can easily see associated events for that entity. This allows your investigation to pivot rapidly if any events are of interest (e.g. a GuardDuty event detecting a SSH brute force on an EC2 instance).

What can be particularly useful here is if the event of interest occurred outside your current time window of investigation for the attack. Allowing the potential time window of attack to be expanded and investigated appropriately.

Not only do I see Amazon Detective being an invaluable tool for investigating any potential or confirmed attack on your AWS infrastructure, it gives you the transparency you need to take actions for preventing any such attacks happening again in the future. The data gathered in an investigation should also allow you to provide detailed assessments to affected customers, helpful for any Data Protection investigation that may follow a confirmed breach.

Discover more about Amazon Detective and its use cases here.


More about the author:

Derek Wicks

Developer at ECS Ltd

Found this interesting? Why not share it: