As organizations increase their utilization of AWS services, managing security incidents and access control becomes imperative. AWS Identity and Access Management (IAM) ensures that users and roles can access only those AWS resources they are permitted to access. Still, there are some challenges when scrutinizing any abnormalities or security events in relation to IAM. The need for investigative tools is addressed by Amazon Detective, that allows for the analysis and visualization of logs and assists security teams in understanding why security events occur and how they are triggered.
What is Amazon Detective?
Amazon Detective automatically collects log data from services such as AWS CloudTrail, Amazon VPC Flow Logs, and Amazon GuardDuty. With the help of machine learning and graph theory, it is able to show how resources and users in AWS are associated, allowing security teams to investigate outliers and carry out forensic studies effectively.
Pricing for Amazon Detective Data
Amazon Detective uses a pricing model that allows organizations to expand the investigations in a cost-effective manner as it is based on the data volume ingested for analysis. There are two main components of the pricing model:
Data Ingestion Costs – Based on only the amount of data ingested as supplied by services such as AWS CloudTrail logs, VPC Flow Logs, and GuardDuty findings, among others, Detective charges its customers. Such logs are ingested automatically into detective for processing.
Data Retention – Amazon Detective allows data retention of up to 1 year without incurring extra storage charges. However, in the assessment of the pricing long, the investigations data retained component influences it quite a bit.
Latest Price Changes:
$2.00 per gigabyte ingested per month.
To illustrate, for example, if you produce log data of 50GB across the services of CloudTrail, VPC Flow Logs, and GuardDuty, the charge will amount to:
50GB * $2.00 = $100 per month in total.
Free Trial: Amazon Detective offers a 30-day free trial of the service which can be used with all features and data sources, so that you shall know exactly how much data you are spending later.
Connecting Various AWS Services With Amazon Detective
What makes Amazon Detective one of the best is its compatibility with various security services by AWS, thus expanding the already rich insights into security events. So here is how it works with some of the AWS security services:
1 Amazon GuardDuty
Amazon GuardDuty is a service that protects AWS account and workloads from malicious actions on 24/7 basis. Detective integrates with GuardDuty findings and helps you to investigate the alerts in more detail. For example, when GuardDuty detects possible threats like misuse of IAM credentials, one is able to go deeper into Detective’s investigations of the pertinent CloudTrail events.
Use Case: Account Hijacking In the event GuardDuty identifies suspicious logins made from an IAM user context, it is possible to map out the entire span of that user’s activities in Detective to see if they accessed resources, engaged in any suspicious behavior or attempted privilege escalation among other actions. This enables quick measures to be taken like revocation of credentials or modification of access rights.
2 AWS Security Hub
AWS Security Hub brings together security alerts and findings from multiple services. Security hub plays a big role in the investigation of the finding as it works with detective and security hub. From the Console for the Security Hub, a user is able to go on the related case in detective to investigate further by looking at activity graphs, api calls, user activity among others.
Use Case: Security Hub Findings Analysis In the event Security Hub generates a notification concerning an IAM user with enhanced permissions that attempts to access a sensitive S3 bucket, you are able to conduct an investigatory analysis of the API calls made by the user in question, mapping access activities to establish whether such activities were legitimate or malevolent.
3 AWS CloudTrail
Every action performed by IAM users, roles, and services within your AWS account is captured and stored by CloudTrail. Pirate’s Detective system also automatically ingests CloudTrail, allowing you to track API call, log in activities, and IAM policy modification history over time through a visual representation.
Use Case: Tracing Back Unapproved API Calls with AI CloudTrail While observing activities of an IAM user, if a restricted resource is targeted for suspicious API calls, Detective visualizes these logs in conjunction with other activities to trace the source of the problem and correct it as soon as possible.
4 AWS CloudTrail
Every action performed by IAM users, roles, and services within your AWS account is captured and stored by CloudTrail. Pirate’s Detective system also automatically ingests CloudTrail, allowing you to track API call, log in activities, and IAM policy modification history over time through a visual representation.
Use Case: Tracing Back Unapproved API Calls with AI CloudTrail While observing activities of an IAM user, if a restricted resource is targeted for suspicious API calls, Detective visualizes these logs in conjunction with other activities to trace the source of the problem and correct it as soon as possible.
Introduction: Amazon Detective in IAM Investigations – Real-Life Use Cases
Below are some scenarios where the use of Amazon Detective is critical for security and incident response teams:
Scenario 1: Detecting Privileged Account Abuse
Let’s assume for the purpose of this example that GuardDuty issues an alert claiming that an IAM user is trying to elevate their level of privileges by self-adding to a user role assigned with administrator privileges. Additional context to this finding can be obtained through Amazon Detective in the following ways:
Monitor the API activity associated with the corresponding IAM identity.
Understand the timeline associated with the escalation.
Ascertain if the action was legitimate or if it had malicious intent.
Scenario 2: Conducting an Examination on Unauthorised Access to an S3 Bucket.
In the event that Security Hub tags an IAM role as having unexpected access towards sensitive buckets within S3, Detective comes in to assist you with:
Understanding and visualizing the API calls that have been executed by the role.
Analyzing the activity of the role in the past and checking whether such access can be considered normal or not.
Show the relationship between this IAM role and other resources in order to understand the size of the problem.
Scenario 3: Abnormal CloudTrail Events for an IAM User
In the event that an IAM user is detected with an asymmetric trigger of CloudTrail events, it allows you to go deeper into the following:
A chain of API requests performed by the user.
Any GuardDuty outputs which are related to these actions.
Traffic trends from the user profile in relation to VPC Flow Logs.
Enhancing Safety Measures through The Use of Amazon Detective’s Advanced Functionalities
The advanced features of Amazon Detective for investigating IAM make it easy for ICT security personnel to respond to complicated security situations. The major advantages entail:
Data Collection without Efforts: More specifically, Detective brings in the necessary resources from AWS services, designed to demonstrate all activities undertaken.
Pattern Recognition: Machine learning is put to use in the identification of IAM abuse and in the recognition of normal behavior.
Great Analysis: In this case, activity graphs will illustrate connectivity between IAM users, roles, and resources.
Enhanced Investigation: Provides investigation enhancement by integrating with GuardDuty, Security Hub and CloudTrail.
Affordable: Effective for use in different environments because you only pay for data ingestion services on needs basis.
Conclusion
Within the realm of security incidents involving identity and access management of AWS users, Amazon Detective is one of the resourceful tools. It enhances the security of AWS users by helping them understand better some of the activities considered suspicious. The use of other tools like GuardDuty, Security Hub, CloudTrail and VPC Flow Logs in carrying out Amazon Detective enables real-time investigation of security incidence for corrective measures to be undertaken.
One of the benefits of using Amazon Detective in security operations is being able to get ahead of any threats towards AWS and avoiding any impacts of such threats from occurring, thus ensuring security at all times within AWS accounts.
