Posted On: Nov 26, 2023

Amazon Detective now supports the ability to automatically investigate AWS Identity and Access Management (IAM) entities for indicators of compromise (IoC). This new capability helps security analysts determine whether IAM entities have potentially been compromised or involved in any known tactics, techniques, and procedures (TTP) from the MITRE ATT&CK framework.

Detective makes it easier to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Once enabled, Detective automatically collects log data from AWS resources and uses machine learning, statistical analysis, and graph theory to build interactive visualizations to run faster and more efficient security investigations. You can now use Detective to automatically analyze IAM users and IAM roles, to quickly surface potential IoC and TTPs. Detective also uses machine learning to highlight when the indicators are anomalous and require attention. From the Detective management console or the newly released public APIs, you can investigate IAM resources based on Amazon Resource Names (ARNs) and obtain a report that lists IoCs and TTPs for IAM entities involved in anomalous behavior.

There is no additional charge for this new capability, and it’s available today for all existing and new Detective customers. Support for investigating IAM entities is available in all AWS Regions where Detective is enabled, including the AWS GovCloud (US) Regions. Get started with your 30-day free trial of Detective with just a few clicks in the AWS Management console. 

Detective investigations for IAM in the Amazon Detective User Guide.