Q: What is Amazon Detective?
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.
Q: What are the key benefits of Amazon Detective?
Amazon Detective simplifies the investigative process and helps security teams conduct faster and more effective investigations. Amazon Detective’s prebuilt data aggregations, summaries, and context help you to quickly analyze and determine the nature and extent of possible security issues. Amazon Detective maintains up to a year of aggregated data and makes it easily available through a set of visualizations that shows changes in the type and volume of activity over a selected time window, and links those changes to security findings. There are no upfront costs and you pay only for the events analyzed, with no additional software to deploy or log feeds to enable.
Q: How much does Amazon Detective cost?
Amazon Detective pricing is based on the volume of data ingested from AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon Elastic Kubernetes Service (Amazon EKS) audit logs, and Amazon GuardDuty findings. You are charged per Gigabyte (GB) ingested per account/region/month. Amazon Detective maintains up to a year of aggregated data for its analysis. Please see the Amazon Detective pricing page for the latest pricing information.
Q: Is there a free trial?
Yes, any new account to Amazon Detective can try the service for 30-days at no cost. You will have access to the full feature set during the free trial.
Q: Is Amazon Detective a regional or global service?
Amazon Detective needs to be enabled on a region by region basis and enables you to quickly analyze activity across all your accounts within each region. This ensures all data analyzed is regionally based and doesn’t cross AWS regional boundaries.
Q: What regions does Amazon Detective support?
The regional availability of Amazon Detective is listed here: AWS Region Table.
Getting started with Amazon Detective
Q: How can I get started with Amazon Detective?
Amazon Detective can be enabled with a few clicks in the AWS Management console. Once enabled Amazon Detective automatically organizes data into a graph model and the model is continuously updated as new data becomes available. You can experience Amazon Detective and begin investigating for potential security issues.
Q: How do I enable Amazon Detective?
You can enable Amazon Detective from within the AWS Management Console or by using the Amazon Detective API. If you are already using the Amazon GuardDuty or AWS Security Hub Consoles, you should enable Amazon Detective with the same account that is the Master account in Amazon GuardDuty or AWS Security Hub to enable the best cross-service experience.
Q: Can I manage multiple accounts with Amazon Detective?
Yes, Amazon Detective is a multi-account service that aggregates data from monitored member accounts under a single master account within the same region. You can configure multi-account monitoring deployments in same way that you configure master and member accounts in Amazon GuardDuty and AWS Security Hub.
Q: What data sources does Amazon Detective analyze?
Amazon Detective enables customers to view summaries and analytical data associated with Amazon Virtual Private Cloud (Amazon VPC) Flow Logs, AWS CloudTrail logs, and Amazon Elastic Kubernetes Service (Amazon EKS) audit logs. For customers that have Amazon GuardDuty enabled, Detective also processes Amazon GuardDuty findings.
Q: Can I use Amazon Detective if I do not have Amazon GuardDuty enabled?
Amazon Detective requires that you have Amazon GuardDuty enabled on your accounts for at least 48 hours before you enable Detective on those accounts. However, you can use Amazon Detective to investigate more than just your Amazon GuardDuty findings. Amazon Detective provides detailed summaries, analysis, and visualizations of the behaviors and interactions amongst your AWS accounts, EC2 instances, AWS users, roles, and IP addresses. This information can be very useful in understanding security issues or operational account activity.
Q: How quickly does Amazon Detective start working?
Amazon Detective starts collecting log data as soon as it is enabled and provides visual summaries and analytics on the ingested data. Amazon Detective also provides comparisons of recent activity against historical baselines which are established after two weeks of account monitoring.
Q: Can I export my raw log data from Amazon Detective?
Amazon Detective analyzes your AWS CloudTrail logs, Amazon VPC Flow Logs, and Amazon EKS audit logs but does not make the raw logs available for export. AWS enables you to export these logs through other services.
Q: What data does Amazon Detective store, is it encrypted, and can I control what data sources are enabled?
Amazon Detective conforms to the AWS shared responsibility model, which includes regulations and guidelines for data protection. Once enabled, Amazon Detective will process data from AWS CloudTrail logs, Amazon VPC Flow Logs, Amazon EKS audit logs, and Amazon GuardDuty findings for any accounts where it has been turned on.
Q: Is there a performance or availability risk to my existing AWS workloads by enabling Amazon Detective?
Amazon Detective has no impact on the performance or availability of your AWS infrastructure since Amazon Detective retrieves the log data and findings directly from the AWS services.
Q: How does Amazon Detective differ from Amazon GuardDuty and AWS Security Hub?
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With AWS Security Hub, you have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. Amazon Detective simplifies the process of investigating security findings and identifying the root cause. Amazon Detective analyzes trillions of events from multiple data sources such as Amazon VPC Flow Logs, AWS CloudTrail logs, Amazon EKS audit logs, and Amazon GuardDuty findings and automatically creates a graph model that provides you with a unified, interactive view of your resources, users, and the interactions between them over time.
Q: How can I stop Amazon Detective from looking at my logs and data sources?
Amazon Detective enables you to analyze and visualize security data from your AWS CloudTrail logs, Amazon VPC Flow logs, Amazon EKS audit logs, and Amazon GuardDuty findings. To stop Amazon Detective from analyzing these logs and findings for your accounts please disable the service by using the API or from the settings section in the AWS Console for Amazon Detective.
Working in the Amazon Detective console
Q: What guidance does Amazon Detective provide on how to investigate a security issue?
Amazon Detective provides a variety of visualizations that present context and insights about AWS resources such as AWS accounts, EC2 instances, users, roles, IP addresses, and Amazon GuardDuty findings. Each visualization is designed to answer specific questions that may come up as you analyze findings and the related activity. Each visualization provides textual guidance that clearly explains how to interpret the panel and use its information to answer your investigative questions.
Q: How is Amazon Detective integrated with other AWS security services like Amazon GuardDuty and AWS Security Hub?
Amazon Detective supports cross-service user workflows by supporting console integrations with Amazon GuardDuty and AWS Security Hub. These services provide links from within their consoles that redirect you from a selected finding directly to an Amazon Detective page containing a curated set of visualizations for investigating the selected finding. The findings detail page in Amazon Detective is already aligned to the timeframe of the finding and shows relevant data associated with the finding.
Q: How do I integrate Amazon Detective investigation results with remediation and response tools?
Various partner security solution providers have integrated with Amazon Detective to enable investigation steps within their automated playbooks and orchestrations. These products present links from within the response workflows that redirect users to Amazon Detective pages containing visualizations curated for investigating findings and resources identified within the workflow.
Amazon Detective for Amazon Elastic Kubernetes Service (Amazon EKS)
Q: How does Amazon Detective for Amazon EKS audit logs work?
Once enabled, Amazon Detective automatically and continuously analyzes and correlates user, network, and configuration activity across your Amazon EKS workloads. Amazon Detective automatically ingests Amazon EKS audit logs and correlates user activities with AWS CloudTrail Management events and network activity with Amazon VPC Flow logs without the need for you to enable or store these logs manually. The service gleans key security information from these logs and retains them in a security behavioral graph database that enables fast cross-referenced access to twelve months of activity. Amazon Detective provides a data analysis and visualization layer to help you answer common security questions backed by a behavioral graph database that allows you to more quickly investigate potential malicious behavior associated with your Amazon EKS workloads.
Q: Do I need to turn on Amazon EKS audit logging?
No, you do not need to enable or configure Amazon EKS audit logging. You simply need to enable Amazon EKS audit logs as a new data source in the Amazon Detective console or APIs. Amazon Detective's consumption of Amazon EKS audit logs is designed to not affect the performance of your Amazon EKS workloads, as Amazon Detective consumes the audit logs using independent and duplicative audit log streams. In this manner, Amazon Detective's consumption of your Amazon EKS audit logs will not increase your costs for using Amazon EKS.
Q: How am I charged to use Amazon Detective to secure my Amazon EKS Workloads?
Amazon Detective's consumption of Amazon EKS audit logs is priced based on the volume of audit logs processed and analyzed by Amazon Detective. Amazon Detective provides a free 30-day trial to all customers that enable Amazon EKS coverage, allowing customers to ensure that Amazon Detective’s capabilities meet their security needs and to get an estimate of the service’s monthly cost before committing to paid usage.
Q: I’m already using Amazon Detective; how can I turn on Amazon EKS audit logs support on Amazon Detective?
Existing customers that use Amazon Detective will need to turn on Amazon EKS audit logs on the Amazon Detective console for their accounts. Customers can change this selection and enable/disable Amazon EKS audit logs using a single click on the Amazon Detective console.
Q: If I don’t use Amazon EKS and I enable Amazon EKS audit logs in Amazon Detective, will I be charged?
No. If you aren’t using Amazon EKS, you will not incur any charge for Amazon EKS audit logs. However, when you start using Amazon EKS your clusters will be automatically monitored by Amazon Detective, and you will receive cluster, node, and pod profiles for your Amazon EKS workloads on Amazon Detective.
Q: Can I enable Amazon EKS audit logs only, without enabling the full Detective service (e.g., Amazon VPC Flow Logs, Amazon GuardDuty findings, and AWS CloudTrail management events analysis)?
The full Amazon Detective service must be enabled for Amazon EKS audit logs to be available.
Q: Does Amazon EKS audit logs support multi-account management?
Yes. Amazon EKS audit logs support multi-account management through AWS Organizations integration. This integration helps security and compliance teams ensure full coverage of Amazon Detective on all existing and future Amazon EKS clusters across all accounts in an organization.
Q: Does Amazon Detective provide visibility into Amazon EKS workloads on AWS Fargate, non-managed Kubernetes on EC2, or for ES Anywhere?
Currently this capability only supports Amazon EKS deployments running on EC2 instances in your AWS account.
Q: Do I need to make any configuration changes, deploy any software, or modify my Amazon EKS deployments?
No. Once enabled, Amazon Detective begins monitoring Amazon EKS audit logs from all existing and new Amazon EKS clusters in the account for security findings with nothing more to deploy, no log sources to enable, and no configuration changes to make.
Q: Will using Amazon EKS audit logs impact the performance or cost of running containers on Amazon EKS?
No. Amazon EKS audit logs is designed to not have any performance, availability, or cost implications to Amazon EKS workload deployments.
Q: Do I have to enable Amazon EKS audit logs in each AWS Region individually?
Yes. Amazon EKS audit logs have to be enabled in each AWS Region separately.
Learn more about Amazon Detective capabilities and implementation by reading the documentation.
Instantly get access to the AWS Free Tier.
Get started building with Amazon Detective.