ROB FREW
Back to Work

AIP: Alias Investigation Platform

Built centralized IP investigation and insider risk platform serving 400+ weekly investigators tracking 1M+ employee aliases with EU privacy compliance.

Amazon
Platform Engineering
AIP: Alias Investigation Platform
400+ weekly investigators
1M+ aliases tracked
25% faster investigations
IP theft case supported

The Challenge

Amazon Security investigators needed a centralized platform to conduct insider risk and IP theft investigations across over one million employee aliases. Investigations were taking weeks because critical data—badge access, VPN logs, endpoint telemetry, network DNS data—was scattered across multiple systems. Additionally, EU privacy compliance requirements meant investigators couldn't simply access all employee data without proper controls and audit trails.

My Approach

Led the end-to-end build of AIP, designing the architecture to pull badge data, VPN logs, and endpoint telemetry (including Route 53 corporate DNS data) from Basin into a unified investigation interface. Integrated multiple sensitive data sources, working with endpoint teams to unblock data access by providing context on investigative needs and facilitating data access requests following least-privilege principles. Partnered with Legal teams to ensure EU privacy compliance, implementing need-to-know access controls where investigators could only access aliases tied to open investigation tickets. Built comprehensive logging of all AIP activity with automated detections flagging any alias access not tied to an open investigation ticket.

Key Deliverables

Designed and built unified investigation interface pulling data from multiple Basin sources

Implemented need-to-know access controls with Legal partnership for EU privacy compliance

Built automated detections flagging unauthorized alias access for oversight

Established 10-year data retention framework meeting Legal requirements

Integrated badge data, VPN logs, endpoint telemetry, and Route 53 DNS data

Technologies & Tools

AWSBasinSecurity AnalyticsAccess ControlsAudit SystemsData Integration

Related Projects

AmazonPlatform Engineering

Basin: Amazon Security's Data Lake

Platform processing 9PB daily from 350,000+ sources supporting ML workloads and security analytics across AWS.

AmazonPlatform Engineering

Fangorn Coral Collector Deployment

Deployed security log collectors on 350,000+ hosts across all AWS regions, achieving 97% security coverage with <1% CPU impact.

Want to discuss this project?

I'd love to share more details about my approach and results.

Get in Touch