AWS is trusted by millions of people, large and small, as well as government agencies, to provide robust infrastructure and agility at a lower cost. Organizations often have difficulty understanding how to protect and secure their data and clients, given the complexity of today’s data.
Amazon GaurdDuty and Amazon Macie are security products that can identify security issues and help you troubleshoot. There are likely to be more than one cause. You will need to dig deeper to determine the root cause and fix it. The first step in determining the root cause is to collect and combine log data from various sources. Next, the security analyst must make a call and begin the investigation.
Amazon Detective is one such service that simplifies all of these processes by allowing your security teams to quickly identify the root cause. Amazon Detective allows you to quickly and easily identify the root cause of suspicious activity.
It gathers multiple data logs from these services.
Virtual Private Cloud (VPC). Flow logs: The built-in support of a VPC to capture data about how network resources flow in and out of it.
AWS CloudTrail: CloudTrail can be used as a “Management & Governance” tool in the console. Owners can inspect every API call to other resources in the account. Logs can be logged.
Amazon GuardDuty: Amazon GuardDuty, aws managed cloud security monitoring service, allows you to detect threats and their behaviour.
How do I enable AWS Detective
Log in to the Management Console and navigate to the Detective console.
Click Get started
Check out the Enable Detective page for more information
There will be a Master Account and a Member Account. The Master Account will be linked between GaurdDuty Security Hub. The master account can invite other accounts as member accounts for the behavior diagram.
One Master account per region will be used for a single behavior graph. The master account can also be used in other regions.
Attach the IAM policy to enable Detective and manage a behavior chart
After activating the Detective, you will be able to add the member accounts into your behavior graph
How does it work?
Source: aws.amazon.comYou must enable the Detective feature in the AWS management console. AWS currently makes it unavailable in five regions: US East (Ohio), US East (Virginia), US West(Oregon), Asia Pacific (Tokyo), Europe, Ireland.
Detective automatically collects events such as login attempts, API calls, and network traffic from the VPC flows logs. GuardDuty will not discard any findings if the customer has enabled it.
It uses machine learning and visualization for an interactive and integrated view of your resource behavior over time.
It quickly investigates any activities that are not in line with the norm and identifies patterns that indicate security problems. Some security issues require more investigation to determine the impact of malicious activity. If you find this type of problem in the AWS Guard Duty, you can then go to Detective to quickly identify the root cause.
These are the phases of the investigation flow:
Source: aws.amazon.comPhase I: An analyst can select Detective findings from GuardDuty and security Hub while looking at GuardDuty’s findings. The Detective search function allows the analyst to choose a finding to triage from Detective.
Phase 2: The finding profiles in Phase 2 will include a set visualization. These visualizations are derived from the behavior graph. The behavior graph is essentially generated from logs collected by Detective and any other data it has consumed.
Phase 3: Once the issue has been identified and determined, regardless of whether it is true positive or false negative, the analyst can then up