What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS Detective: Investigating Security Incidents with Graph Analytics

The Investigation Problem

You have a GuardDuty finding: UnauthorizedAccess:IAMUser/AnomalousBehavior. An IAM user made API calls to services they don't normally access, from an IP address outside your normal range. Is this a real compromise? If so, what did they do? What data was accessed? Are there other affected resources?

Answering these questions through CloudTrail queries is possible but time-consuming. You need to find all API calls from the user, correlate them with resource access, identify other IP addresses they've used, check whether those IPs appeared in other findings, and build a timeline of the incident. This can take hours.

AWS Detective automates this correlation. It ingests CloudTrail, VPC Flow Logs, and GuardDuty findings, builds a behavior graph that connects users, IPs, resources, and API calls, and lets you explore the relationships visually. What would take hours of manual CloudTrail analysis takes minutes with Detective.

Enabling AWS Detective

Detective requires GuardDuty to be enabled and builds its behavior graph from the same data sources. Enable Detective in your security account:

aws detective create-graph

Detective takes 48-72 hours to build initial baselines and starts being useful after 7 days of data. For multi-account setups, enable Detective in your security account and invite member accounts:

aws detective create-members   --graph-arn arn:aws:detective:us-east-1:123456789012:graph/GRAPHID   --accounts '[{"AccountId":"111122223333","EmailAddress":"admin@account.com"}]'

Combine with GuardDuty multi-account setup and Security Hub aggregation for a complete security visibility stack. See our GuardDuty multi-account guide for the full architecture.

The Detective Behavior Graph

Detective's core capability is its behavior graph — a continuously updated model of activity in your account that connects:

Entities: AWS accounts, IAM users, IAM roles, EC2 instances, IP addresses
Activities: API calls, network connections, authentication events
Findings: GuardDuty findings linked to the entities involved

When you investigate a GuardDuty finding, Detective shows you the entity profile (what's normal for this user or IP), the specific behavior that triggered the finding (what was anomalous), and related entities (other IPs this user has connected from, other findings involving the same IP).

Investigating a GuardDuty Finding

The Detective investigation workflow for a GuardDuty finding:

Open the finding in Security Hub or GuardDuty, then click "Investigate in Detective"
Review the entity profile: Is the behavior shown in the finding really anomalous? Detective shows you the baseline of what's normal for this user.
Examine the activity timeline: What API calls were made before, during, and after the finding period?
Review IP address context: What is this IP address? Has it appeared in other findings? Does it belong to a known hosting provider?
Check related findings: Are there other GuardDuty findings involving the same user, role, or IP?
Export the evidence: Detective can export investigation findings to document what happened

IAM User and Role Analysis

Detective's entity profiles provide powerful context for IAM investigation. For an IAM user under investigation:

API call summary: Services and operations called over the investigation window
Successful vs. failed API calls: Unusual number of failed calls can indicate privilege escalation attempts
Geographic distribution: Countries from which API calls originated
Associated IP addresses: Every IP from which the user has made API calls
Related findings: All GuardDuty findings involving this user

Compare the investigation window to the baseline (typically 90 days of history). An IAM user that normally makes 50 S3 API calls per day suddenly making 5,000 calls — especially to services they've never used — is a clear indicator of compromise.

For the response workflow after identifying compromise, see our account compromise response guide and cloud forensics guide.

EC2 Instance Investigation

For findings involving EC2 instances — cryptocurrency mining detection, port scanning, network probing — Detective provides:

VPC Flow Log analysis showing all network connections
External IP addresses the instance connected to
Port and protocol distribution
Comparison to baseline network behavior
Association with GuardDuty findings

An instance that suddenly starts connecting to hundreds of external IPs on port 22 is either compromised and scanning, or belongs to a legitimate security scanner — Detective's baseline helps you distinguish. For cryptocurrency mining detection patterns, see our crypto mining guide.

IP Address Investigation

IP addresses are often the pivot point in investigations — the same IP may appear in multiple GuardDuty findings across different accounts or resources. Detective's IP profile shows:

Every entity in your account that has communicated with this IP
GuardDuty findings involving this IP across your organization
Geolocation and ASN information
Whether the IP is in AWS threat intelligence lists

An IP that appears in GuardDuty findings across three accounts and has communicated with five EC2 instances is a strong indicator of a coordinated attack or a compromised user whose credentials are being used from this IP.

Building Investigation Notebooks

Detective investigation notebooks provide a structured way to document security investigations. For each incident, create a notebook that captures:

The initial trigger (GuardDuty finding or alert)
Timeline of events
Entities involved
Evidence supporting the conclusion (compromise, false positive, or unclear)
Actions taken

These notebooks become part of your incident documentation for compliance purposes (SOC 2, PCI DSS) and for post-incident review. See our incident response guide for the full documentation framework.

Detective vs. Manual CloudTrail Analysis

Detective doesn't replace CloudTrail analysis — it accelerates it. Complex investigations still benefit from direct CloudTrail queries for specific API calls, timestamps, and request parameters that Detective's UI may not surface. Think of Detective as the first-pass investigation tool that gives you enough context to decide whether to escalate, and CloudTrail as the detailed forensics tool when you need to go deeper. See our CloudTrail analysis guide for the query patterns that complement Detective.

FAQ

How much does AWS Detective cost?

Detective charges based on the volume of data ingested (CloudTrail events, VPC Flow Logs, GuardDuty findings). For a typical account, this is $1-5/month. For high-traffic accounts with significant VPC Flow Log volume, costs can be higher — review the pricing calculator before enabling at scale.

Does Detective work retroactively?

No. Detective only analyzes data from after it was enabled. You cannot investigate incidents that occurred before enabling Detective. This is why early adoption matters: the behavior graph needs historical data to establish baselines and identify anomalies.

Can Detective automatically respond to incidents?

Detective is an investigation tool, not a response tool. It surfaces information for human investigation but doesn't take automated action. For automated response, use GuardDuty findings → EventBridge → Lambda. Detective is the tool you use to understand what happened after the automated response has fired. See our incident response planning guide.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Vigilare Engineering

Platform Team