Amazon Detective
A security service that automates the collection and analysis of log data from AWS resources to investigate security issues.
| Category | Threat Detection & Response |
|---|---|
| This page updated | a month ago |
| Pricing Details | Charges based on the volume of data analyzed with a tiered pricing model; 30-day free trial available. |
| Target Audience | AWS users and organizations looking to enhance their security posture. |
Amazon Detective addresses the complex challenge of analyzing and investigating security issues within large and distributed AWS environments. It automates the collection of log data from various AWS resources, including CloudTrail logs, VPC Flow Logs, and EKS audit logs, using machine learning, statistical analysis, and graph theory to build a comprehensive behavior graph.
The technical architecture of Amazon Detective involves creating a Region-specific behavior graph when enabled, which is continuously updated as new data becomes available. This graph model integrates data from multiple sources, such as AWS accounts, EC2 instances, users, roles, and IP addresses, providing a unified view of interactions and behaviors. The service is accessible via the AWS Management Console, AWS command line tools, and the Amazon Detective REST API, allowing for flexible management and integration with other AWS services.
Operationally, Amazon Detective is regionally scoped, meaning it must be enabled on a region-by-region basis, ensuring that data analysis does not cross AWS regional boundaries. This approach helps in maintaining data locality and compliance with regional regulations. However, this also means that cross-region analysis requires separate instances of Detective in each region.
Key technical details include the ability to retain up to a year of aggregated data, which is made available through various visualizations that show changes in activity over time. The service charges based on the volume of data analyzed, with a tiered pricing model that helps in forecasting costs. During the initial setup, a 30-day free trial is available, allowing users to experience the full feature set without incurring costs.
In terms of limitations, query performance and data retention costs can become significant as the volume of data and the number of accounts in the behavior graph increase. Additionally, the regional scope of Detective may require additional management overhead for organizations operating across multiple AWS regions.