Detective controls

GAMESEC03: How do you monitor and analyze player usage behavior within your game?

To maintain a positive player experience, you should have a process for capturing, storing, and analyzing relevant data that can help you understand how players engage with your game's features and with other players.

GAMESEC_BP09: Collect, store, and analyze player usage logs to detect inappropriate behavior.

Instrument your game to collect logs that help you understand how players use the features of your game and how they interact with other players so that you can prevent unauthorized activity which can degrade the player experience. This can be done by sending structured log events to the Game Analytics Pipeline, or by using a logging solution such as Amazon CloudWatch Logs, Amazon OpenSearch Service, or a solution from an AWS Partner such as Datadog, Sumo Logic, New Relic, Honeycomb, or Splunk. These player usage logs should be structured so that they can be used to detect when speciﬁc actions by players need to be investigated.

After you have captured the data, you should consider implementing tools to help you detect inappropriate usage behavior. For example, if your game has social features such as in-game player messaging and voice chat, or online forums, it is recommended to save logs from these player engagements in a format that can be analyzed for moderation purposes. Conﬁgure your game's voice chat feature to export recordings to Amazon S3 and use Amazon Transcribe to convert the audio speech to text format which can be stored for processing. Alternatively, you can perform real-time streaming transcription by integrating your game backend voice chat service directly with the Transcribe API to transcribe streaming audio in real-time. Moderation teams can manually review the content, and once the content is in a standard format, you can also use AWS AI/ML services to perform moderation automatically. Amazon Comprehend can be used to perform natural language processing (NLP) to uncover information from the unstructured text, which can help you classify and organize the conversations into relevant topics and identify inappropriate behavior such as profanity.

If your game allows players to generate or upload content, consider using Amazon Rekognition to identify the content of the images for moderation. For video use cases such as player live streaming, you can send video streams to Amazon Kinesis Video Streams which you can integrate with Amazon Rekognition Video or your own custom application to analyze and moderate in real-time. Your game may provide players with the ability to contact player support agents through a call center such as Amazon Connect, or chat bots using Amazon Lex. Amazon Connect provides support for monitoring live and recorded conversations. To analyze interactions between players and player support chat bots built with Amazon Lex, you can store the conversation logs from these interactions in Amazon CloudWatch Logs which can be exported to S3 and analyzed as described previously.

You can also integrate your game with Amazon Fraud Detector, a fully managed service that uses machine learning to identify potentially fraudulent activity so customers can catch online fraud quickly. You can use Fraud Detector to detect potentially fraudulent activity and flag that activity for review so that you can prevent fraudulent in-game purchases in real-time, detect compromised accounts by looking for behavioral changes and anomalies, and distinguish between legitimate and high-risk new account registrations.

Amazon Lookout for Metrics uses machine learning to automatically detect and diagnose anomalies in your business and operational data, and monitors the metrics that are most important to your businesses with greater speed and accuracy. The service also makes it easier to diagnose the root cause of anomalies such as sudden dips in revenue, logins, transactions, and retention. It does not require game developers to have any ML experience to setup and can connect to popular data sources including Amazon S3, Amazon CloudWatch, Amazon RDS, Amazon Redshift, as well as many SaaS applications. For example, you can integrate Amazon Lookout for Metrics with the Game Analytics Pipeline and other data sources to begin analyzing behavior to detect anomalies.

Alternatively, you may choose to build, train, and host a custom machine learning model using Amazon SageMaker to address use cases such as content moderation, toxicity detection, cheat detection, fraud detection, and more.

In addition to generating custom game usage logs, it is also recommended to capture and store system-level logs from relevant services, such as S3 server access logs, CloudFront access logs, and ALB access logs. These logs can be stored in an Amazon S3 bucket in your account and are useful for associating your player usage information from within the game with system-level information including connection details such as IP addresses, request headers, and any relevant request manipulation and filtering that you may have configured within your game backend. These logs can be sent to the same logging solutions mentioned earlier, and can also be analyzed using SQL queries with Amazon Athena without requiring the logs to be moved out of Amazon S3.

Access Analyzer for S3 is a feature that monitors your bucket access policies, ensuring that the policies provide only the intended access to your S3 resources. Access Analyzer for S3 evaluates your bucket access policies and allows you to discover and swiftly remediate buckets with potentially unintended access.

To continuously monitor for malicious activities and unauthorized behaviors within your AWS environment, consider using Amazon GuardDuty. GuardDuty identifies threats by monitoring account behavior, network activity, and data access patterns within your environment. It analyzes tens of billions of events across multiple data sources, such as CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs for potential threats. By integrating with Amazon CloudWatch Events and Lambda, GuardDuty alerts can be automatically forwarded to relevant security teams for further analysis.

AWS Security Hub provides a comprehensive view of your security state in AWS and helps you to check your environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you to analyze your security trends and identify the highest priority security issues. The Amazon GuardDuty integration with Security Hub enables you to send findings from GuardDuty to Security Hub. Security Hub can then include those findings in its analysis of your security posture.

It’s common for bad actors to employ bots to take over accounts and cheat in games. WAF Bot Control gives you visibility and control over common and pervasive bot traffic that can consume excess resources, skew metrics, cause downtime, or perform other undesired activities.

Ransomware is malicious code designed to gain unauthorized access to systems and datasets and encrypt that data to block access by legitimate players. After ransomware has locked players out of their systems and encrypted their sensitive data, cyber criminals demand a ransom before providing a decryption key to unlock the data. Organizations can be completely shut down by an attack, incurring significant costs and loss of business productivity. Refer to Securing your Cloud Environment from Ransomware for best practices you can apply to strengthen your ability to fight ransomware before, during, and after an incident takes place.

Refer to the Well-Architected Framework whitepaper for additional best practices in the detective controls area for security.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity and access management

Infrastructure protection