What is Amazon Detective?

Pre-study image

I feel like I've never heard of it.

Research

What is Amazon Detective?

It will be a service to help analyze and investigate the cause of security issues or suspicious activity in applications on AWS.
Since Detective means detective, this service monitors, investigates and analyzes the cause of the problem like a detective.

Detective collects the following logs and analyzes the information.

• cloudtrail logs
• vpc flow log
• GuardDuty

Recommended Conditions

• aws cli must be 1.16.303 or higher
• Amazon GuardDuty must be enabled
  • Must be enabled on master account
  • Must wait 48 hours after activation
• Amazon GuardDuty's cloudwatch notifications are every 6 hours, so we'll set them to 15 minutes.

Use Cases

• Investigate the impact of a security issue

Check credentials in case of compromise, API calls from malicious IP addresses, etc.

• File Identification

Scan for files that behave suspiciously like malware on EC2.

Image after study

Basically, I think of it as information gathering and analysis.
It seems like we can see where the suspicious IPs are accessing from.