Each tab provides information about all of the API calls that were issued from the geolocation during the scope time.
For each IP address, resource, and API method, the list shows the number of successful and failed API calls.
The activity details contain the following tabs:
Observed IP addresses
Initially displays the list of IP addresses that were used to issue API calls from the selected geolocation.
You can expand each IP address to display the resources that issued API calls from that IP address.
The list displays the resource name. To see the principal ID, pause on the name.
You can then expand each resource to display the specific API calls that were issued from that IP address by that resource. The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under Unknown service.
Geolocations
Resource
Initially displays the list of resources that issued API calls from the selected geolocation. The list displays the resource name. To see the principal ID, pause on the name. For each resource, the Resource tab also displays the associated AWS account.
You can expand each user or role to display the list of API calls that were issued by that resource.
The API calls are grouped by the services that issued the calls. For S3 buckets, the service is always Amazon S3. If Detective cannot determine the service that issued a call, the call is listed under Unknown service.
You can then expand each API call to display the list of IP addresses from which the resource issued the API call.
Sorting the activity details
You can sort the activity details by any of the list columns.
When you sort using the first column, only the top-level list is sorted. The lower-level lists are always sorted by the count of successful API calls.
Overall VPC flow volume
Filtering the activity details
You can use the filtering options to focus on specific subsets or aspects of the activity represented in the activity details.
On all of the tabs, you can filter the list by any of the values in the first column.
To add a filter
1. Choose the filter box.
2. From Properties, choose the property to use for the filtering.
3. Provide the value to use for the filtering. The filter supports partial values. For example, when you filter by API method, if you filter by Instance, the results include any API operation that has Instance in its name. So both ListInstanceAssociations and UpdateInstanceInformation would match.
For service names, API methods, and IP addresses, you can either specify a value or choose a built-in filter.
For Common API substrings, choose the substring that represents the type of operation, such as List, Create, or Delete. Each API method name starts with the operation type.
For CIDR patterns, you can choose to include only public IP addresses, private IP addresses, or IP addresses that match a specific CIDR pattern.
4. If you have multiple filters, choose a Boolean option to set how those filters are connected.
5. To remove a filter, choose the x icon in the top-right corner.
6. To clear all of the filters, choose Clear filter.
Activity details for Overall VPC flow volume
For an EC2 instance, the activity details for Overall VPC flow volume show the interactions between the EC2 instance and IP addresses during a selected time range.
For an IP address, the activity details for Overall VPC flow volume show the interactions between the IP address and EC2 instances during a selected time range.
To display the activity details for a single time interval, choose the time interval on the chart.
To display the activity details for the current scope time, choose display details for scope time.
Content of the activity details
The content reflects the activity during the selected time range.
For an EC2 instance, the activity details contain an entry for each unique combination of IP address, local port, remote port, protocol, and direction.
For an IP address, the activity details contain an entry for each unique combination of EC2 instance, local port, remote port, protocol, and direction.
Overall VPC flow volume
Each entry displays the volume of inbound traffic, the volume of outbound traffic, and whether the access request was accepted or rejected. On finding profiles, the Annotations column indicates when an IP address is related to the current finding.
Sorting the activity details
You can sort the activity details by any of the columns in the table.
By default, the activity details are sorted first by the annotations, then by the inbound traffic.
Filtering the activity details
To focus on specific activity, you can filter the activity details by the following values:
• IP address or EC2 instance
• Local or remote port
• Direction
• Protocol
• Whether the request was accepted or rejected
To add and remove filters 1. Choose the filter box.
2. From Properties, choose the property to use for the filtering.
3. Provide the value to use for the filtering. The filter supports partial values.
To filter by IP address, you can either specify a value or choose a built-in filter.
For CIDR patterns, you can choose to include only public IP addresses, private IP addresses, or IP addresses that match a specific CIDR pattern.
4. If you have multiple filters, choose a Boolean option to set how those filters are connected.
5. To remove a filter, choose the x icon in the top-right corner.
6. To clear all of the filters, choose Clear filter.
Overall VPC flow volume
Selecting the time range for the activity details
When you first display the activity details, the time range is either the scope time or a selected time interval. You can change the time range for the activity details.
To change the time range for the activity details 1. Choose Edit.
2. On Edit time window, choose the start and end time to use.
To set the time window to the default scope time for the profile, choose Set to default scope time.
3. Choose Update time window.
The time range for the activity details is highlighted on the profile panel charts.