performing-cloud-native-threat-hunting-with-aws-detective
Installation
SKILL.md
Performing Cloud-Native Threat Hunting with AWS Detective
Overview
AWS Detective automatically collects and analyzes log data from AWS CloudTrail, VPC Flow Logs, GuardDuty findings, and EKS audit logs to build interactive behavior graphs. These graphs enable security analysts to investigate entities (IAM users, roles, IP addresses, EC2 instances) across time, identify anomalous API calls, detect lateral movement between accounts, and correlate GuardDuty findings into coherent attack narratives — all without manual log parsing.
Prerequisites
- AWS account with Detective enabled (requires GuardDuty active for 48+ hours)
- AWS CLI v2 configured with appropriate IAM permissions (
detective:*,guardduty:List*) - Python 3.9+ with boto3
- IAM policy:
AmazonDetectiveFullAccessor custom policy withdetective:SearchGraph,detective:GetInvestigation,detective:ListIndicators