Recently, Amazon announced the general availability of Amazon Detective. This new security service in AWS allows customers to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
At re:invent last year, Amazon released a preview of Amazon Detective and now the service is generally available for customers. They can use the service to perform investigations into security issues across AWS workloads. Vice president of security services at AWS, Dan Plastina, stated in a press release why Amazon released the service for its customers:
Gathering the information necessary to conduct effective security investigations has traditionally been a burdensome process, which can put crucial in-depth analysis out of reach for smaller organizations and strain resources for larger teams. Amazon Detective takes all of that extra work off of the customer's plate, allowing them to focus on finding the root cause of an issue and ensuring it doesn't happen again.
When customers enable Amazon Detective, the service will automatically start collecting log data from AWS resources such as AWS Guard Duty, AWS CloudTrail, and Amazon Virtual Private Cloud. Subsequently, it then uses machine learning, statistical analysis and graph theory to build interactive visualizations allowing customers to investigate quickly. Sébastien Stormacq, a principal developer advocate at Amazon, explains Amazon Detective in his blog post:
Amazon Detective uses machine learning models to produce graphical representations of your account behavior and helps you to answer questions such as "is this an unusual API call for this role?" or "is this spike in traffic from this instance expected?"
Source: https://aws.amazon.com/detective/
With Amazon Detective, there are no agents, sensors, or additional software to deploy to use the service. The service collects the existing logs directly from AWS without touching the infrastructure – and thus, not causing any impact to performance. Furthermore, Amazon Detective works across all AWS accounts of an enterprise. In essence, it is a multi-account solution that aggregates data and findings from up to 1000 AWS accounts into a single security-owned "master" account making it easy to view behavioral patterns and connections across the entire AWS environment of an enterprise.
Amazon Detective is the public cloud vendor's next addition to its already existing set of security services consisting of Amazon Inspector, GuardDuty, Security Hub, and Macie. Ian McKay, DevOps lead at Kablamo, stated in his recent blog post on Amazon Detective:
Amazon Detective is a powerful new service to make incident investigations easier to conduct with its data aggregation features. Though in its preliminary stages, it will likely become an essential part of a security teams toolset alongside Security Hub, Guard Duty and others.
Currently, Amazon Detective is available in 14 commercial regions with more coming soon. Furthermore, there are no additional charges or upfront commitments required to use Amazon Detective, and customers will only pay for data ingested from AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty findings. More pricing details are available on the pricing page.