Inside cloud-native world, detective controls are like security camera, that is always watching, always logging, and always ready to alert you when something’s off. AWS detective controls help us monitor, detect, and respond to security incidents in real time.
🚦 What Are Detective Controls?
Detective controls is security mechanisms designed to detect, log, and alert after an event has occurred. Think of them as our cloud’s black box, recording every action for later review. In AWS, detective controls are foundational for:
- Identifying threats
- Tracking changes
- Ensuring compliance
- Supporting forensic investigations
The Curious Case of kanchi and the EC2 Instance..
Imagine kanchi as the security lead at a startup. One morning, she get a notification: an EC2 instance was terminated at 3:00 AM. Who did it? Was it authorized? Here’s how detective controls help her to solve the mystery:
1️⃣AWS CloudTrail Captures the Evidence
AWS CloudTrail records every API call made in account. She can track:
- Who made the request (e.g., IAM user Alice)
- When and from where it happened
- What action was performed (huu, terminated an EC2 instance)
“CloudTrail logs are your audit trail, capturing every move in your AWS environment. For compliance, keep logs immutable and store them in a separate, secure account.”
— Blaine Sundrud, Senior AWS Instructional Designer
**CloudTrail Log Entry:**
{
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAJQABLZK7654321ABC",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "AKeyIAXXXXXXXXXXXXXX"
},
"eventTime": "2025-07-03T03:00:00Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "TerminateInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.42",
"requestParameters": {
"instancesSet": {
"items": [
{ "instanceId": "i-0abcd1234efgh5678" }
]
}
}
}
Advice:Copy CloudTrail logs from your main account (Account A) to a dedicated log account (Account B) with strict access controls. This ensures no one can tamper with the logs—even admins!
2️⃣Amazon CloudWatch Monitors and Notify
Detecting changes is only half. She need to route alerts to the right people and systems. Enter Amazon CloudWatch:
- Monitors logs and metrics
- Sends notifications (e.g., SNS, email, Slack)
- Triggers automated remediation (e.g., Lambda functions to isolate compromised resources)
Example Workflow:
- CloudTrail logs an unauthorized EC2 termination.
- CloudWatch detects the event and sends an alert to your security team.
- A Lambda function automatically revokes the user’s credentials and tags the incident for investigation.
🗂️ Essential AWS Logs for Detective Controls
| Service | What It Captures | How It Helps |
|---|---|---|
| Amazon S3 Access Logs | Requests to S3 buckets/objects (who, when, what, where) | Detect unauthorized access, track downloads, audit usage |
| ELB Access Logs | HTTP/HTTPS requests to load balancers | Analyze traffic, identify unhealthy backends, troubleshoot |
| CloudWatch Logs/Events | Application/system logs, custom metrics, event triggers | Centralize analysis, automate alerts, visualize trends |
| VPC Flow Logs | IP traffic to/from network interfaces | Monitor network activity, detect anomalies |
| AWS CloudTrail | All API calls (who, what, when, where, how) | Full audit trail for compliance, incident response |
🕵️♂️ Advanced Investigation: Amazon Detective
- Amazon Detective aggregates data from CloudTrail, VPC Flow Logs, and GuardDuty, using machine learning and graph theory to link related events and visualize timelines.
- It helps security teams quickly analyze root causes, understand the scope of incidents, and correlate user/resource activity across accounts.
- Integration: Works with AWS Security Hub, GuardDuty, and Macie for a unified security view.
Detective controls aren’t just about compliance—they’re about proactive security and peace of mind. By capturing and analyzing logs across AWS services, she can spot threats, respond quickly, and keep your cloud fortress secure. 🏰🔒
Key Takeaways:
- Enable CloudTrail in all accounts and regions.
- Store logs securely and validate their integrity.
- Set up CloudWatch alarms and automate responses.
- Leverage Amazon Detective for deep investigations.
Have you implemented detective controls in your AWS environment? Share your experiences and tips in the comments below!
📚 Further Reading
- AWS Detective Controls Documentation
- AWS CloudTrail Documentation
- Amazon CloudWatch Overview
- How to Use S3 Access Logs
- VPC Flow Logs Guide
Stay secure and keep watching those logs! 🚨
Top comments (0)