AWS has just announced the release of two new AWS managed policies for Amazon Detective – AmazonDetectiveMemberAccess and AmazonDetectiveInvestigatorAccess. These policies make it easier to leverage the service for security investigations and streamline their workflows.
What is Amazon Detective?
If you're not familiar with Amazon Detective, it's a fully managed service that makes it easy to analyze, investigate, and identify the root cause of security issues or suspicious activities across your AWS accounts. It uses machine learning and graph theory to automatically build a behavior graph of your AWS resource interactions, enabling you to identify unusual activity and investigate security issues quickly. To learn more, visit the Amazon Detective product page.
AmazonDetectiveMemberAccess
With the new AmazonDetectiveMemberAccess policy, users can view invitations to Detective's behavior graph, accept or reject them, and view how usage contributes to cost. This makes it easy for users to join investigations and collaborate with other members of their team.
The policy includes the following permissions for Amazon Detective:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"detective:AcceptInvitation",
"detective:BatchGetMembershipDatasources",
"detective:DisassociateMembership",
"detective:GetFreeTrialEligibility",
"detective:GetPricingInformation",
"detective:GetUsageInformation",
"detective:ListInvitations",
"detective:RejectInvitation"
],
"Resource": "*"
}
]
}
AmazonDetectiveInvestigatorAccess
The AmazonDetectiveInvestigatorAccess policy is designed for security analysts who need to conduct full security investigations, investigate suspicious activity, identify potential security issues, archive Amazon GuardDuty findings, but don't have to manage member accounts.
The policy includes the following permissions for Amazon Detective, AWS Organizations, and Amazon GuardDuty:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"detective:BatchGetGraphMemberDatasources",
"detective:BatchGetMembershipDatasources",
"detective:DescribeOrganizationConfiguration",
"detective:GetFreeTrialEligibility",
"detective:GetGraphIngestState",
"detective:GetMembers",
"detective:GetPricingInformation",
"detective:GetUsageInformation",
"detective:ListDatasourcePackages",
"detective:ListGraphs",
"detective:ListHighDegreeEntities",
"detective:ListInvitations",
"detective:ListMembers",
"detective:ListOrganizationAdminAccount",
"detective:ListTagsForResource",
"detective:SearchGraph"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"guardduty:ArchiveFindings",
"guardduty:GetFindings",
"guardduty:ListDetectors"
],
"Resource": "*"
}
]
}
Updated AmazonDetectiveFullAccess Policy
We've also updated permissions for the existing AWS managed policy AmazonDetectiveFullAccess to ensure assigned users can see the full details of GuardDuty findings in the Detective console, which allows them to fully understand the context of a security issue and make informed decisions on how to handle it.
The updated policy includes the following permissions for Amazon Detective, AWS Organizations, and Amazon GuardDuty:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"detective:*",
"organizations:DescribeOrganization",
"organizations:ListAccounts"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"guardduty:ArchiveFindings"
],
"Resource": "arn:aws:guardduty:*:*:detector/*"
},
{
"Effect": "Allow",
"Action": [
"guardduty:GetFindings",
"guardduty:ListDetectors"
],
"Resource": "*"
}
]
}
To learn more about Amazon Detective, visit the Detective documentation page. And, if you're not already using Amazon Detective, be sure to check out the product page to see how it can help you improve your security posture.