AWS Detective is a security service that helps you analyze and visualize your AWS logs and security findings. It allows you to investigate security incidents by gathering data from various AWS services and presenting it in a clear, interactive graph.
Let’s see Detective in action. Imagine you’ve received an alert that an EC2 instance is exhibiting unusual outbound network traffic.
Here’s how you might use Detective to investigate:
First, ensure Detective is enabled for your AWS account and that you’ve configured it to ingest data from relevant services like CloudTrail, VPC Flow Logs, and GuardDuty.
aws detective enable-organization-admin-account --admin-account-id 111122223333
aws detective create-graph --graph-arn "arn:aws:detective:us-east-1:111122223333:graph:xxxxxxxxxxxxxxxx"
Once data is flowing, you’d navigate to the AWS Detective console. You’d see a "Graph" view, which is essentially a network diagram showing your AWS resources and their interactions.
In our scenario, you’d search for the EC2 instance ID that triggered the alert. Detective would then highlight this instance and show all its associated network connections, IAM activity, and any GuardDuty findings.
You can then expand the view to see the destination of the outbound traffic. Detective aggregates VPC Flow Logs, making it easy to identify the IP addresses and ports the instance was communicating with. If the destination IP is suspicious, Detective might already flag it based on its threat intelligence feeds.
Next, you’d examine the IAM activity related to this instance. Detective correlates CloudTrail logs, showing what actions were performed by the EC2 instance’s IAM role, or by users/roles accessing the instance. If you see unexpected API calls, like attempts to modify security groups or access sensitive S3 buckets, that’s a major red flag.
GuardDuty findings are integrated directly. If GuardDuty detected something like cryptocurrency mining or communication with a known C&C server, that finding would be prominently displayed alongside the network and IAM data.
Detective also provides a "Behavior" tab for each resource. This shows a timeline of events, helping you pinpoint when the anomalous activity started. You can filter this timeline by event type, such as "Network Outbound," "API Calls," or "Findings."
The real power comes from Detective’s ability to link seemingly unrelated events. You might see an instance making outbound connections to a suspicious IP, and simultaneously observe its IAM role making unusual S3 API calls. Detective’s graph visually connects these, showing a potential compromise where the instance is being used to exfiltrate data or launch further attacks.
The most surprising true thing about AWS Detective is that it doesn’t just show you what happened; it actively helps you understand why it might have happened by inferring relationships and highlighting deviations from normal behavior patterns. It’s not just a log viewer; it’s an intelligent analysis engine that prioritizes and contextualizes security signals.
The next problem you’ll run into is understanding how to configure custom data sources and alerts within Detective for more advanced threat hunting.