AWS Attribution

Solving the AWS Attribution Mystery in Real Time

When deploying assets on Amazon Web Services (AWS), identifying risk attribution is not a game, it’s serious business. Security alerts can be anything from nuisance to potential disaster. The faster you can determine the who, how, when and where, the better. The process can be like trying to find a needle in a haystack – or like playing the board game Clue.

A security alert, like the beginning of Clue, presents you with little more than the stark realization there’s a body in the library. Unlike a family playing a board game, your business doesn’t have all night to figure out whodunit.

The Evident Security Platform (ESP) with Attribution can solve the mystery in an instant—avoiding the stress, cost, time, and effort associated with a security alert.

No Time for Magnifying Glasses

Identify the Security Perp

Traditionally, your IT department detectives would consult the AWS CloudTrail. After all, one of its primary functions is using the AWS Application Program Interface (API) for security analysis. It would work, you would get the information, but who knows how long that would take! We’re talking about manually pouring through multiple CloudTrail logs and correlating data to determine the exact risk attribution. Might take an hour or a hundred times that, depending on the volume of activity being analyzed.

Some operational analysis tools, like Splunk, can make the process a little more efficient if they have log query analysis capabilities. Even so, a human has to perform the searches and piece everything together before naming Colonel Mustard as the perpetrator.

Not every organization has the resources and skill sets needed to conduct such an investigation. If you get an alert at 2am on a Saturday, someone’s got to get up and break out six-sided dice. It might take hours before the cuffs are slapped on Professor Plum and until then, you don’t know whether the risk is a nuisance or a serious breach.

Most of us just don’t have resources—someone skilled at log correlation—to do that kind of detective work. Because attribution is so hard, bad actors within your organization have a significant head start in any malicious activities, potentially creating vulnerabilities days or weeks before they are identified. Un-detected, bad process, sloppy work, or just a slip up can repeatedly create vulnerabilities.

Immediately Discover Who, How, When and Where

Finally, User Attribution That's No Mystery

What if you could play the entire game of Clue in the time it takes to snap your fingers? Imagine the ability to instantaneously proclaim with metaphysical certitude that it was “Miss Scarlett, with a rope, in the lounge!”

The Attribution feature gives you that power and is a critical component of every ESP subscription package. Upon receiving an ESP security alert, Attribution immediately identifies the source of the threat, assesses its severity, and provides remediation steps to deal with the issue.

ESP Attribution Screenshot dashboard demonstrates the who, when, where, and how of risk attribution in real time.


Attribution performs all of the legwork, so your team doesn’t have to. This includes:

  • Ingests AWS CloudTrail event logs
  • Identifies
    • The user or role that caused the alert
    • The performed action that caused the alert
    • The IP address of the action source
  • Summarizes relevant CloudTrail event fields in the ESP alerts
  • Correlates ESP security alerts to AWS CloudTrail events
  • Embeds relevant CloudTrail events into ESP alert for consumption via API or third party integrations

This adds an additional dimension of visibility to ESP security alerts—saving you time, money, and effort.

Risk Attribution Just Got Easier… A Whole Lot Easier


Playing Clue by the fire is fun on a dark and stormy night. Pouring through CloudTrail event logs, not so much. ESP, with Attribution, eliminates the need for dedicated, skilled risk attribution resources and reduces the disruption normally associated with security alerts.

Your operation saves time, because you know the who, how, when and where immediately. continuously seeks out vulnerabilities and identifies their sources, giving you the information to both fix the problem and prevent it from recurring. This murderer won’t strike again.

Most importantly, your mission critical applications and data are vulnerable for less time, because you can act faster in response to threats.

With better awareness of risk attribution, your operational security improves. You can constantly improve and update best practices, keep your personnel better trained about security, and help them work more effectively within established security policies.

Attribution will deal with Mrs. Peacock while your team remains focused on development and client service. Learn more about how ESP with Attribution can take your AWS security to the next level.