Amazon Detective is a AWS security service that allows to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Recently, AWS announced the expansion of Amazon Detective towards Kubernetes workloads on Amazon’s Elastic Kubernetes Service.
The company first introduced the service in March 2020, a service that continuously looks at things such as login attempts, API calls, and network traffic from Amazon GuardDuty, AWS CloudTrail, and Amazon VPC Flow Logs.
AWS has updated the service with features such as AWS IAM Role session analysis, enhanced IP address analytics, Splunk integration, Amazon S3 and DNS finding types, and the support of AWS Organizations. The service’s latest update is a new feature to expand security investigation coverage for Kubernetes workloads running on Amazon EKS.
When potential threats or suspicious activity are found on Amazon EKS clusters, Amazon Detective creates findings and layers them on top of the entity profiles using Amazon GuardDuty Kubernetes Protection.
The new Detective feature can help quickly find the answers to queries like which Kubernetes API methods were used by a Kubernetes user account that was detected as compromised, which pods are hosted in an Amazon EC2 instance that was discovered by Amazon GuardDuty, or which containers were created from a potentially malicious container image.
Amazon Detective for EKS is available in all AWS regions where Amazon Detective is available, and pricing will be based on the volume of audit logs analyzed.
There is a free 30-day trial when EKS coverage is enabled, allowing customers to ensure that the capabilities meet their security needs and get an estimate of the service’s monthly cost before committing to paid usage.