AWS-SCS-C02 & AWS CERTIFICATION | Amazon Detective (Security Investigation) - AWS Certified Security

5.2.4. Amazon Detective (Security Investigation)

First Principle: Amazon Detective simplifies and accelerates security investigations by automatically collecting and analyzing security data from various sources to build a unified, interactive graph model, revealing root causes and anomalous activity.

When a security incident occurs, investigators need to quickly understand the scope of the compromise, identify the root cause, and determine the affected resources and entities. This can be time-consuming with disparate logs.

Amazon Detective is a fully managed service that helps security analysts conduct faster and more efficient security investigations. It automatically collects security-related log data from various AWS sources and uses machine learning, statistical analysis, and graph theory to build a linked set of data for analysis.

Key Features of Amazon Detective:

Automated Data Collection: Continuously collects security-related log data from:
- AWS CloudTrail: API calls and resource changes.
- VPC Flow Logs: IP traffic.
- Amazon GuardDuty findings: Threat detection findings.
Unified Graph Model: Automatically builds a graph database of your AWS accounts, users, roles, and resources, showing their interactions over time.
Guided Investigations: Provides interactive visualizations and pre-built queries to investigate specific GuardDuty findings or other security events. You can explore activities related to an IAM principal, EC2 instance, or IP address.
Anomaly Detection: Highlights anomalous behavior (e.g., unusual API calls, unexpected traffic patterns) compared to baselines.
Fully Managed: No servers to provision or manage.
Use Cases: Root cause analysis for security incidents, identifying compromised resources, understanding attacker activity, compliance auditing.

Scenario: A security team receives an Amazon GuardDuty finding indicating a potentially compromised EC2 instance. They need to quickly investigate the scope of the compromise, including all API calls made by the instance, its network connections, and any related suspicious activities.

Reflection Question: How does Amazon Detective, by automatically collecting and analyzing security data from various sources (CloudTrail, VPC Flow Logs, GuardDuty) to build a unified, interactive graph model, fundamentally simplify and accelerate security investigations and reveal root causes and anomalous activity?