AWS Security Services Architecture — Overview
AWS provides a layered security services ecosystem for threat detection, vulnerability management, investigation, and centralized security posture management. Understanding how GuardDuty, Security Hub, Inspector, Detective, and Macie work together is essential for SCS-C03 and frequently tested on SAP-C02.
VPC Flow Logs
DNS Logs | CloudTrail
EKS/S3/Lambda/RDS
Runtime monitoring
EC2 (CVEs, patches)
ECR images
Lambda functions
Software Bill of Materials
PII/PHI discovery
S3 bucket scanning
Sensitive data alerts
Automated discovery
Policy validation
Unused access findings
Custom policy checks
Cross-account sharing
Automated actions via EventBridge | Cross-account/cross-region aggregation
Graph analysis
Visualize entity behavior
Root cause analysis
12-month history
Finding → Lambda
Isolate instance
Revoke credentials
Create ticket
Resource configuration
Rules + Remediation
Config history
Conformance packs
Service Comparison
| Service | What It Does | Data Sources | Output |
|---|---|---|---|
| GuardDuty | Detects active threats and malicious behavior | VPC Flow Logs, DNS, CloudTrail, S3, EKS, RDS, Lambda, Runtime | Findings (cryptocurrency mining, port scanning, compromised creds, malware) |
| Inspector | Finds software vulnerabilities (CVEs) | EC2 instances (SSM Agent), ECR images, Lambda code | Findings with CVE ID, severity, remediation (patch/update) |
| Macie | Discovers sensitive data in S3 | S3 bucket objects (scans content) | Findings (PII, PHI, credentials, financial data locations) |
| IAM Access Analyzer | Identifies overly permissive access | IAM policies, resource policies, KMS grants, S3 buckets | Findings (external/public access, unused permissions) |
| Security Hub | Aggregates + prioritizes all security findings | GuardDuty, Inspector, Macie, Config, Firewall Manager, 3rd party | Unified dashboard, compliance scores, automated actions |
| Detective | Investigates and visualizes security incidents | GuardDuty findings, CloudTrail, VPC Flow Logs (12-month graph) | Entity relationship graphs, behavior timelines, root cause |
| Config | Monitors resource configuration compliance | All AWS resource configurations (records changes) | Compliance status, non-compliant resources, remediation actions |
How They Work Together
- GuardDuty detects a compromised EC2 instance (cryptocurrency mining activity)
- Security Hub receives the finding, correlates with Inspector findings (unpatched CVE on same instance)
- EventBridge triggers automated response Lambda (isolates instance via Security Group change)
- Detective investigates — shows what the compromised instance communicated with, what IAM calls it made, timeline of suspicious behavior
- Config records the Security Group change for audit trail
Multi-Account Security Architecture
- Delegated Administrator: Designate a Security Tooling account as delegated admin for GuardDuty, Security Hub, Inspector, Macie (not the management account)
- Auto-enable: New member accounts automatically enrolled in all security services
- Cross-region aggregation: Security Hub can aggregate findings from all regions into a single region
- Centralized logging: All findings → Security Hub → EventBridge → S3 (Log Archive account) for SIEM integration
Automated Response Patterns
| Finding | Automated Response | Services Used |
|---|---|---|
| Compromised EC2 instance | Isolate via Security Group (deny all inbound/outbound) | GuardDuty → EventBridge → Lambda → EC2 API |
| Compromised IAM credentials | Disable access key + attach deny-all policy | GuardDuty → EventBridge → Lambda → IAM API |
| Public S3 bucket detected | Block public access (put bucket policy) | Config Rule → SSM Automation → S3 API |
| Critical CVE found on EC2 | Patch via SSM Patch Manager | Inspector → EventBridge → SSM Run Command |
| PII found in S3 bucket | Quarantine bucket + notify compliance team | Macie → EventBridge → Lambda → S3/SNS |
Exam Tips
| Exam | Key Points |
|---|---|
| SCS-C03 | GuardDuty data sources (know all 8), Security Hub compliance standards (CIS, PCI, NIST), Detective for investigation, automated remediation with EventBridge+Lambda, delegated admin pattern, Macie for S3 PII, Config rules vs conformance packs |
| SAP-C02 | Which service for which detection type, multi-account security architecture, centralized logging to Log Archive, automated response patterns, service selection based on requirements |
AWS Certification Exam Practice Questions
Question 1:
A security team receives a GuardDuty finding that an EC2 instance is communicating with a known command-and-control (C2) server. They need to immediately contain the threat AND preserve forensic evidence. What should the automated response do?
- Terminate the instance immediately
- Change the Security Group to deny all traffic (isolate) but keep the instance running
- Take an AMI snapshot and then terminate the instance
- Remove the instance from its Auto Scaling Group
Show Answer
Answer: B — Isolating the instance by changing its Security Group to deny all inbound and outbound traffic immediately stops the C2 communication while preserving the instance for forensic investigation (memory dumps, disk analysis, process listing). Terminating would destroy evidence. The forensics team can later snapshot and investigate the isolated instance.
Question 2:
A company needs to ensure all EC2 instances across 50 accounts are scanned for software vulnerabilities (CVEs) automatically, with findings centralized in one place. Which architecture achieves this with LEAST operational overhead?
- Install vulnerability scanning agents on all EC2 instances manually
- Amazon Inspector with delegated admin in Security Tooling account, auto-enable for all org accounts, findings to Security Hub
- AWS Config rules checking for unpatched software
- GuardDuty Malware Protection scanning all instances
Show Answer
Answer: B — Inspector automatically discovers and scans EC2 instances (via SSM Agent, already installed on most AMIs), ECR images, and Lambda functions for CVEs. Delegated admin in the Security Tooling account auto-enables for all member accounts. Findings flow to Security Hub for centralized view. Zero manual agent installation — Inspector uses the existing SSM Agent.
Question 3:
A compliance team needs to verify that no S3 bucket in the organization contains unencrypted PII (Social Security numbers, credit card numbers). They need ongoing monitoring, not just a one-time scan. Which service provides this?
- AWS Config rule checking S3 encryption settings
- Amazon Macie with automated sensitive data discovery
- S3 access logging analysis with Athena
- GuardDuty S3 protection
Show Answer
Answer: B — Macie uses ML and pattern matching to scan S3 object CONTENTS for sensitive data (SSNs, credit cards, passwords, etc.). Automated discovery mode continuously scans new/modified objects. It reports exactly which objects contain PII and where. Config only checks bucket-level settings (encryption enabled), not content. GuardDuty detects threats, not data classification.
Question 4:
After GuardDuty detects suspicious API calls from an IAM user’s access keys, a security analyst needs to understand: what other resources did this user access in the last 30 days? What was their normal behavior pattern vs current anomaly? Which service provides this investigation capability?
- CloudTrail Lake with SQL queries
- Amazon Detective with entity behavior graphs
- Security Hub finding details
- CloudWatch Logs Insights
Show Answer
Answer: B — Detective builds behavior graphs from 12 months of data (CloudTrail, VPC Flow Logs, GuardDuty findings). It visualizes entity relationships and timelines, shows normal vs anomalous behavior patterns, and identifies what resources an entity accessed. You can pivot directly from a GuardDuty finding to Detective for investigation. CloudTrail Lake provides raw query capability but not behavioral analysis or visualization.
Question 5:
A company uses Security Hub with CIS AWS Foundations Benchmark. They want non-compliant findings to be automatically remediated (e.g., disable unused access keys, enable S3 encryption). What is the recommended automation architecture?
- Security Hub → SNS → manual review → manual fix
- Security Hub → EventBridge rules (filter by finding type) → SSM Automation documents (remediation)
- AWS Config auto-remediation rules for each check
- Lambda scheduled to scan Security Hub findings hourly and fix them
Show Answer
Answer: B — Security Hub sends findings to EventBridge in real-time. EventBridge rules filter by finding type (e.g., “CIS.1.4 – Access keys rotated”) and trigger SSM Automation documents that perform the remediation. This is event-driven, immediate, and scalable. Config auto-remediation (C) also works for Config-native rules but Security Hub aggregates findings from multiple sources beyond just Config.
Related Architecture Patterns
- Zero Trust Security
- Multi-Account Architecture
- Config vs CloudTrail vs CloudWatch
- All Architecture Patterns – Hub
Related Posts
- AWS Zero Trust Architecture
- Multi-Account Architecture – Organizations & Control Tower
- Network Firewall vs WAF vs Security Groups vs NACLs
- Responsible AI – Guardrails & Governance
- WAF vs Shield vs Firewall Manager
References
- AWS Security Reference Architecture
- Automate Remediation with GuardDuty and Security Hub — AWS Blog
- Amazon Inspector EC2 Scanning — AWS Blog
- Amazon Detective Simplifies Investigations — AWS Blog
Frequently Asked Questions
What is the difference between GuardDuty and Inspector?
GuardDuty detects active threats and malicious behavior (someone attacking you NOW — C2 communication, brute force, cryptocurrency mining). Inspector finds vulnerabilities that COULD be exploited (unpatched CVEs, misconfigured software). GuardDuty = “you’re being attacked.” Inspector = “you’re vulnerable to attack.”
Do I need both Security Hub and GuardDuty?
Yes — they serve different roles. GuardDuty is a detection engine that generates findings. Security Hub is an aggregation and management platform that collects findings from GuardDuty AND Inspector, Macie, Config, Firewall Manager, and third-party tools. Security Hub provides the unified dashboard, compliance scoring, and automated action triggers.
What is the delegated administrator pattern?
Instead of managing security services from the management account (which should have minimal workloads), you designate a Security Tooling account as delegated admin for GuardDuty, Security Hub, Inspector, and Macie. This account manages security across all org members without needing access to the management account.