After its initial unveiling at re:invent 2019, security data analysis service Amazon Detective is now available to AWS customers.
The tool collects log data from AWS services Guard Duty, CloudTrail, and Amazon Virtual Private Cloud “and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.”
The resulting graphical representations are meant to be especially helpful for users with multiple AWS accounts using a variety of data sources, since those setups are notoriously difficult to suss out during root cause analysis.
To get going, users will have to enable Detective via its API or the AWS Management Console and configure the accounts that are meant to be monitored as well as a master in which data should be collated.
Detective will then collect telemetry data for a variety of resources, such as AWS roles or EC2 instances, and behaviours (API calls, logins, etc.) which will then be turned into interactive views that can be used for further examinations. The latter’s scope and timeline can be adjusted for tasks such as identifying patterns that indicate security issues, investigating outlier activities, or researching the resources affected by a finding.
An additional deployment of agents or other software apparently isn’t necessary, since the service gets its data directly from AWS. Nevertheless, Amazon GuardDuty has to be enabled at least 48 hours on an account before it can be used with Detective.
The service is said to be able to maintain up to a year of historical event data, however it doesn’t allow the export of raw logs. Behaviour graphs are region specific with the Detective API only being able to manage those belonging “to the region associated with the currently selected endpoint”.
Costs depend on the amount of events analysed and users are charged per GB ingested per account, region and month, though free 30-day trials are available. Beyond that,the first 1000 GByte/account/region/month will put you back $2 per GB, the next 4000 $1 per GB, the 5000 after that $0.50, while those ingesting over 10,000 GB/account/region/month will need to pay $0.25 per GByte.