Amazon Detective introduces IAM Role Session Analysis

Posted on: Sep 17, 2020

Amazon Detective now analyzes IAM role sessions so that you can visualize and understand the actions that users and apps have performed using assumed roles. With this new capability, Detective enables you to answer questions such as “which federated user invoked APIs that are associated with a security finding?”, “what API calls did a user invoke across a chain of role assumptions?”, “What API activity did an EC2 instance perform?” and “which of my users use this cross-account role?”, all without manually analyzing CloudTrail logs. By providing answers to these questions, Detective assists security analysts in diagnosing issues and understanding their root cause.

Once enabled, Detective automatically and cost-effectively processes all VPC flow records and CloudTrail management events from across a customers enabled accounts, collating data about activity performed under the auspices of an IAM Role into role sessions. Each role session ties together the principal assuming the role, the role being assumed, metadata about the session and the API activity being performed. Role assumption principals whose role session activity is tracked include EC2 instances, other roles, IAM Users as well as federated users. Federated users include those users that have accessed AWS using either AWS Single Sign-on (SSO), AWS IAM, AWS Directory Service or Amazon Cognito, a service that facilitates access through social identity provides as well as other SAML 2.0 identity providers . Analysts can retrieve the details of a role session and view, filter and understand the API activity associated with it. Detective also visualizes a principal’s usage deviations for a role within each role session, allowing analysts to quickly identify new geographies from which access is made or changes in the pattern of API calls. Detective tracks role chaining, i.e. when a role is used to assume a second role, enabling analysts to follow the chain of assumptions and to attribute them to the principals involved. Detective retains data for 12 months, allowing you to easily investigate historic activity.

Detective’s new role session analysis capability will help you attribute API calls to specific principals during security investigations and will help in understanding how IAM roles are being used across enabled accounts. Instead of exporting, storing, and analyzing CloudTrail activity with custom or third-party tools, let Amazon Detective do the heavy lifting and directly assist you in quickly answering investigative questions. IAM role session analysis is now available in all of Detective’s supported regions and is included at no extra cost.

Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues. To get started, enable a 30-day free trial of Amazon Detective with just a few clicks in the AWS Management console. See the AWS Regions page for all the regions where Detective is available. To learn more, visit the Amazon Detective product page.