Threat Detection & Compliance in AWS
In the AWS ecosystem, security is a shared responsibility. While AWS secures the “Cloud,” you are responsible for security “in” the Cloud. For the SAA-C03 exam, you must understand how to automate threat detection, monitor for vulnerabilities, protect sensitive data, and maintain a continuous audit trail of resource changes.
The Security Guard Analogy
Imagine your AWS infrastructure is a high-security corporate campus:
- GuardDuty: The intelligent security cameras and motion sensors that learn what “normal” behavior looks like and alert you if someone is trespassing or acting suspiciously.
- Inspector: The safety inspector who walks around checking if doors are unlocked, if the fire extinguishers are expired, or if there are holes in the fence.
- Macie: The specialized auditor who looks through your filing cabinets (S3 buckets) to ensure you haven’t left Social Security numbers or credit card info in plain sight.
- Config: The master logbook that records every time a piece of furniture is moved, a lock is changed, or a new wall is built, allowing you to “rewind” and see what the campus looked like at any point in time.
Core Concepts & The Well-Architected Framework
These services align primarily with the Security Pillar (Detective Controls) and the Operational Excellence Pillar.
Detective Controls: “What is happening right now?”
Detective controls provide the visibility needed to identify a security breach. GuardDuty and Macie act as your eyes, using Machine Learning to identify anomalies that traditional rules-based systems might miss.
Compliance & Audit: “Are we following the rules?”
AWS Config ensures that your environment stays within the guardrails you’ve defined. If a developer opens an S3 bucket to the public, AWS Config doesn’t just record it—it can trigger an automated “remediation” to close it immediately.
Service Comparison Table
| Service | Primary Purpose | Main Data Sources | Key Exam Keyword |
|---|---|---|---|
| Amazon GuardDuty | Intelligent Threat Detection | VPC Flow Logs, DNS Logs, CloudTrail | Machine Learning / Anomaly |
| Amazon Inspector | Vulnerability Management | EC2, ECR Images, Lambda functions | CVE / Patching / Reachability |
| Amazon Macie | Data Privacy & PII Discovery | Amazon S3 | PII / Sensitive Data |
| AWS Config | Configuration History & Compliance | Resource Metadata / API Calls | Compliance / Inventory / History |
Scenario-Based Decision Matrix
If the requirement is… Use Service…
- If you need to detect if an EC2 instance is communicating with a known Bitcoin mining IP… Then use GuardDuty.
- If you need to scan a Docker image in ECR for software vulnerabilities before deployment… Then use Inspector.
- If you need to find leaked API keys or Credit Card numbers in an S3 bucket… Then use Macie.
- If you need to know who changed a Security Group rule 3 weeks ago… Then use Config.
- If you need to automatically “fix” a non-compliant resource (e.g., unencrypted EBS)… Then use Config Rules + SSM Automation.
Exam Tips: Golden Nuggets
- GuardDuty is “One-Click”: It does not require agents. It analyzes logs that AWS already manages (CloudTrail, VPC Flow Logs, etc.) without impacting performance.
- Inspector is for “Internal” Health: It looks inside the OS (EC2) or the code (Lambda) for known vulnerabilities (CVEs).
- Config is Global-ish: While it records regional resources, you can use “Aggregators” to see compliance status across multiple regions and accounts in a single view.
- Macie is S3-Specific: If the exam mentions PII in RDS or DynamoDB, Macie is the wrong answer (it only supports S3).
Threat Detection & Compliance Flow
Visualizing the Security & Compliance Pipeline
Key Services
- GuardDuty: Continuous monitoring for malicious activity.
- Inspector: Automated security assessments for EC2/ECR.
- Config: Resource inventory and compliance history.
Common Pitfalls
- Confusing GuardDuty (Threats) with Shield (DDoS).
- Assuming Inspector scans S3 buckets (it’s for compute).
- Thinking CloudTrail is for compliance (it’s for API logs; Config is for state).
Quick Patterns
- Compliance: Config + Lambda (Auto-Remediation).
- PII Discovery: Macie + S3 + SNS Alerts.
- DevOps Security: Inspector + ECR for CI/CD scanning.