# Getting started with Amazon Detective
<a name="detective-setup"></a>

This tutorial provides an introduction to Amazon Detective. You'll learn how to enable Detective for your AWS account. You'll also learn how to verify that Detective has begun to ingest and extract data from your AWS account into your behavior graph.

When you enable Amazon Detective, Detective creates a Region-specific behavior graph that has your account as its administrator account. This is initially the only account in the behavior graph. The administrator account can then invite other AWS accounts to contribute their data to the behavior graph. See [Managing accounts in Detective](accounts.md).

Enabling Detective in a Region for the first time also begins a 30-day free trial for the behavior graph. If the account disables Detective and then enables it again, no free trial is available. See [About the free trial for behavior graphs](free-trial-overview.md).

After the free trial, each account in the behavior graph is billed for the data they contribute to it. The administrator account can track the usage and see the total projected cost for a typical 30-day period for their entire behavior graph. For more information, see [Monitoring usage for a Detective administrator account](usage-tracking-admin.md). Member accounts can track the usage and projected cost for the behavior graphs that they belong to. For more information, see [Monitoring usage for a Detective member account](member-usage-tracking.md).

**Topics**
+ [Setting up your AWS account](detective-before-you-begin.md)
+ [Prerequisites to enable Detective](detective-prerequisites.md)
+ [Recommendations to enable Detective](detective-recommendations.md)
+ [Enabling Detective](detective-enabling.md)

# Setting up your AWS account
<a name="detective-before-you-begin"></a>

Before you can enable Amazon Detective, you must have an AWS account. If you do not have an AWS account, complete the following steps to create one.

## Sign up for an AWS account
<a name="sign-up-for-aws"></a>

If you do not have an AWS account, complete the following steps to create one.

**To sign up for an AWS account**

1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).

1. Follow the online instructions.

   Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.

   When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.

## Create a user with administrative access
<a name="create-an-admin"></a>

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

**Secure your AWS account root user**

1.  Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.

   For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.

1. Turn on multi-factor authentication (MFA) for your root user.

   For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.

**Create a user with administrative access**

1. Enable IAM Identity Center.

   For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.

1. In IAM Identity Center, grant administrative access to a user.

   For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.

**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

  For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

**Assign access to additional users**

1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

   For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.

1. Assign users to a group, and then assign single sign-on access to the group.

   For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.

# Prerequisites to enable Detective
<a name="detective-prerequisites"></a>

Make sure that the following requirements are met before enabling Detective.

## Granting the required Detective permissions
<a name="detective-setup-add-iam-policy"></a>

Before you can enable Detective, you must make sure that your IAM principal has the required Detective permissions. The principal can be an existing user or role that you are already using, or you can create a new user or role to use for Detective.

When you sign up for Amazon Web Services (AWS), your account is automatically signed up for all AWS services, including Amazon Detective. However, to enable and use Detective, you first have to set up permissions that allow you to access the Amazon Detective console and API operations. You or your administrator can do this by using AWS Identity and Access Management (IAM) to attach the [`AmazonDetectiveFullAccess` managed policy](security-iam-awsmanpol.md#security-iam-awsmanpol-amazondetectivefullaccess) to your IAM principal, which grants access to all Detective actions. Without these IAM permissions, you might view the **Get started with Detective** page in the AWS console. As a result, the console will not display any active graphs until these permissions are added, even if the service is enabled.

## Supported AWS Command Line Interface version
<a name="aws-cli-version"></a>

To use the AWS CLI to perform Detective tasks, the minimum required version is 1.16.303.

# Recommendations to enable Detective
<a name="detective-recommendations"></a>

Consider following these recommendations before enabling Detective

## Recommended alignment with GuardDuty and AWS Security Hub CSPM
<a name="recommended-service-alignment"></a>

If you are enrolled in GuardDuty and AWS Security Hub CSPM, we recommend that your account be an administrator account for those services. If the administrator accounts are the same for all three services, then the following integration points work seamlessly.
+ In GuardDuty or Security Hub CSPM, when viewing details for a GuardDuty finding, you can pivot from the finding details to the Detective finding profile.
+ In Detective, when investigating a GuardDuty finding, you can choose the option to archive that finding.

If you have different administrator accounts for GuardDuty and Security Hub CSPM, we recommend that you align the administrator accounts based on the service you use more frequently.
+ If you use GuardDuty more frequently, then enable Detective using the GuardDuty administrator account.

  If you use AWS Organizations to manage accounts, designate the GuardDuty administrator account as the Detective administrator account for the organization.
+ If you use Security Hub CSPM more frequently, then enable Detective using the Security Hub CSPM administrator account.

  If you use Organizations to manage accounts, designate the Security Hub CSPM administrator account as the Detective administrator account for the organization.

If you cannot use the same administrator accounts across all of the services, then after you enable Detective, you can optionally create a cross-account role. This role grants an administrator account access to other accounts.

For information about how IAM supports this type of role, see [Providing access to an IAM user in another AWS account that you own](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*.

## Recommended update to the GuardDuty CloudWatch notification frequency
<a name="recommended-guardduty-config"></a>

In GuardDuty, detectors are configured with an Amazon CloudWatch notification frequency for reporting subsequent occurrences of a finding. This includes sending notifications to Detective.

By default, the frequency is six hours. This means that even if a finding recurs many times, the new occurrences are not reflected in Detective until up to six hours later.

To reduce the amount of time it takes for Detective to receive these updates, we recommend that the GuardDuty administrator account changes the setting on their detectors to 15 minutes. Note that changing the configuration has no effect on the cost of using GuardDuty.

For information about setting the notification frequency, see [Monitoring GuardDuty Findings with Amazon CloudWatch Events](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html) in the *Amazon GuardDuty User Guide*.

# Enabling Detective
<a name="detective-enabling"></a>

You can enable Detective from the Detective console, the Detective API, or the AWS Command Line Interface.

You can only enable Detective once in each Region. If you already are the administrator account for a behavior graph in the Region, then you cannot enable Detective again in that Region.

------
#### [ Console ]

**To enable Detective (console)**

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. Choose **Get started**.

1. On the **Enable Amazon Detective** page, **Align administrator accounts (recommended)** explains the recommendation to align the administrator accounts between Detective and Amazon GuardDuty and AWS Security Hub CSPM. See [Recommended alignment with GuardDuty and AWS Security Hub CSPM](detective-recommendations.md#recommended-service-alignment).

1. The **Attach IAM policy** button takes you directly to the IAM console and opens up the recommended policy, You have the option to attach the recommended policy to the principal you use for Detective. If you do not have permissions to operate in the IAM console, within the **Required permissions** you can copy the policy Amazon Resource Name (ARN) to provide it to your IAM administrator. They can attach the policy on your behalf.

   Confirm that the required IAM policy is in place.

1. The **Add tags** section allows you to add tags to the behavior graph.

   To add a tag, do the following:

   1. Choose **Add new tag**.

   1. For **Key**, enter the name of the tag.

   1. For **Value**, enter the value of the tag.

   To remove a tag, choose the **Remove** option for that tag.

1. Choose **Enable Amazon Detective**.

1. After you enable Detective, you can invite member accounts to your behavior graph.

   To navigate to the **Account management** page, choose **Add members now**. For information about inviting member accounts, see [Managing invited member accounts in Detective](accounts-invited-members.md).

------
#### [ Detective API, AWS CLI ]

You can enable Amazon Detective from the Detective API or the AWS Command Line Interface.

**To enable Detective (Detective API, AWS CLI)**
+ **Detective API:** Use the [https://docs.aws.amazon.com/detective/latest/APIReference/API_CreateGraph.html](https://docs.aws.amazon.com/detective/latest/APIReference/API_CreateGraph.html) operation.
+ **AWS CLI:** At the command line, run the [https://docs.aws.amazon.com/cli/latest/reference/detective/create-graph.html](https://docs.aws.amazon.com/cli/latest/reference/detective/create-graph.html) command.

  ```
  aws detective create-graph --tags '{"tagName": "tagValue"}'
  ```

  The following command enables Detective and sets the value of the `Department` tag to `Security`.

  ```
  aws detective create-graph --tags '{"Department": "Security"}'
  ```

------
#### [ Python script on GitHub ]

You can enable Detective across Regions usin the Detective Python script on GitHub.Detective provides an open-source script in GitHub that does the following:
+ Enables Detective for an administrator account in a specified list of Regions
+ Adds a provided list of member accounts to each of the resulting behavior graphs
+ Sends invitation emails to the member accounts
+ Automatically accepts the invitations for the member accounts

For information about how to configure and use the GitHub scripts, see [Using Detective Python scripts to manage accounts](detective-github-scripts.md).

------

## Checking that Detective is ingesting data from your AWS account
<a name="enable-check-data"></a>

After you enable Detective, it begins to ingest and extract data from your AWS account into your behavior graph.

For the initial extraction, data usually becomes available in the behavior graph within 2 hours.

One way to check that Detective is extracting data is to look for example values on the Detective **Search** page.

**To check for example values on the Search page**

1. Open the Amazon Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Search**.

1. From the **Select type** menu, choose a type of item.

   **Examples from your data** contains a sample set of identifiers of the selected type that are in your behavior graph data.

   If you can see example values, then you know that data is being ingested and extracted into your behavior graph.