AWS Security Services Architecture – GuardDuty, Security Hub, Inspector & Detective

AWS Security Services Architecture — Overview

AWS provides a layered security services ecosystem for threat detection, vulnerability management, investigation, and centralized security posture management. Understanding how GuardDuty, Security Hub, Inspector, Detective, and Macie work together is essential for SCS-C03 and frequently tested on SAP-C02.

AWS Security Services — Detection, Investigation & Response
── Detection Layer ──
GuardDuty
Threat detection
VPC Flow Logs
DNS Logs | CloudTrail
EKS/S3/Lambda/RDS
Runtime monitoring
Inspector
Vulnerability scanning
EC2 (CVEs, patches)
ECR images
Lambda functions
Software Bill of Materials
Macie
Data classification
PII/PHI discovery
S3 bucket scanning
Sensitive data alerts
Automated discovery
IAM Access Analyzer
External access detection
Policy validation
Unused access findings
Custom policy checks
Cross-account sharing
↓ Findings flow to ↓
── Aggregation & Posture ──
AWS Security Hub
Central dashboard | Aggregates all findings | Compliance checks (CIS, PCI-DSS, NIST)
Automated actions via EventBridge | Cross-account/cross-region aggregation
Detective
Investigation
Graph analysis
Visualize entity behavior
Root cause analysis
12-month history
EventBridge
Automated response
Finding → Lambda
Isolate instance
Revoke credentials
Create ticket
AWS Config
Compliance monitoring
Resource configuration
Rules + Remediation
Config history
Conformance packs

Service Comparison

Service What It Does Data Sources Output
GuardDuty Detects active threats and malicious behavior VPC Flow Logs, DNS, CloudTrail, S3, EKS, RDS, Lambda, Runtime Findings (cryptocurrency mining, port scanning, compromised creds, malware)
Inspector Finds software vulnerabilities (CVEs) EC2 instances (SSM Agent), ECR images, Lambda code Findings with CVE ID, severity, remediation (patch/update)
Macie Discovers sensitive data in S3 S3 bucket objects (scans content) Findings (PII, PHI, credentials, financial data locations)
IAM Access Analyzer Identifies overly permissive access IAM policies, resource policies, KMS grants, S3 buckets Findings (external/public access, unused permissions)
Security Hub Aggregates + prioritizes all security findings GuardDuty, Inspector, Macie, Config, Firewall Manager, 3rd party Unified dashboard, compliance scores, automated actions
Detective Investigates and visualizes security incidents GuardDuty findings, CloudTrail, VPC Flow Logs (12-month graph) Entity relationship graphs, behavior timelines, root cause
Config Monitors resource configuration compliance All AWS resource configurations (records changes) Compliance status, non-compliant resources, remediation actions

How They Work Together

  1. GuardDuty detects a compromised EC2 instance (cryptocurrency mining activity)
  2. Security Hub receives the finding, correlates with Inspector findings (unpatched CVE on same instance)
  3. EventBridge triggers automated response Lambda (isolates instance via Security Group change)
  4. Detective investigates — shows what the compromised instance communicated with, what IAM calls it made, timeline of suspicious behavior
  5. Config records the Security Group change for audit trail

Multi-Account Security Architecture

  • Delegated Administrator: Designate a Security Tooling account as delegated admin for GuardDuty, Security Hub, Inspector, Macie (not the management account)
  • Auto-enable: New member accounts automatically enrolled in all security services
  • Cross-region aggregation: Security Hub can aggregate findings from all regions into a single region
  • Centralized logging: All findings → Security Hub → EventBridge → S3 (Log Archive account) for SIEM integration

Automated Response Patterns

Finding Automated Response Services Used
Compromised EC2 instance Isolate via Security Group (deny all inbound/outbound) GuardDuty → EventBridge → Lambda → EC2 API
Compromised IAM credentials Disable access key + attach deny-all policy GuardDuty → EventBridge → Lambda → IAM API
Public S3 bucket detected Block public access (put bucket policy) Config Rule → SSM Automation → S3 API
Critical CVE found on EC2 Patch via SSM Patch Manager Inspector → EventBridge → SSM Run Command
PII found in S3 bucket Quarantine bucket + notify compliance team Macie → EventBridge → Lambda → S3/SNS

Exam Tips

Exam Key Points
SCS-C03 GuardDuty data sources (know all 8), Security Hub compliance standards (CIS, PCI, NIST), Detective for investigation, automated remediation with EventBridge+Lambda, delegated admin pattern, Macie for S3 PII, Config rules vs conformance packs
SAP-C02 Which service for which detection type, multi-account security architecture, centralized logging to Log Archive, automated response patterns, service selection based on requirements

AWS Certification Exam Practice Questions

Question 1:

A security team receives a GuardDuty finding that an EC2 instance is communicating with a known command-and-control (C2) server. They need to immediately contain the threat AND preserve forensic evidence. What should the automated response do?

  1. Terminate the instance immediately
  2. Change the Security Group to deny all traffic (isolate) but keep the instance running
  3. Take an AMI snapshot and then terminate the instance
  4. Remove the instance from its Auto Scaling Group
Show Answer

Answer: B — Isolating the instance by changing its Security Group to deny all inbound and outbound traffic immediately stops the C2 communication while preserving the instance for forensic investigation (memory dumps, disk analysis, process listing). Terminating would destroy evidence. The forensics team can later snapshot and investigate the isolated instance.

Question 2:

A company needs to ensure all EC2 instances across 50 accounts are scanned for software vulnerabilities (CVEs) automatically, with findings centralized in one place. Which architecture achieves this with LEAST operational overhead?

  1. Install vulnerability scanning agents on all EC2 instances manually
  2. Amazon Inspector with delegated admin in Security Tooling account, auto-enable for all org accounts, findings to Security Hub
  3. AWS Config rules checking for unpatched software
  4. GuardDuty Malware Protection scanning all instances
Show Answer

Answer: B — Inspector automatically discovers and scans EC2 instances (via SSM Agent, already installed on most AMIs), ECR images, and Lambda functions for CVEs. Delegated admin in the Security Tooling account auto-enables for all member accounts. Findings flow to Security Hub for centralized view. Zero manual agent installation — Inspector uses the existing SSM Agent.

Question 3:

A compliance team needs to verify that no S3 bucket in the organization contains unencrypted PII (Social Security numbers, credit card numbers). They need ongoing monitoring, not just a one-time scan. Which service provides this?

  1. AWS Config rule checking S3 encryption settings
  2. Amazon Macie with automated sensitive data discovery
  3. S3 access logging analysis with Athena
  4. GuardDuty S3 protection
Show Answer

Answer: B — Macie uses ML and pattern matching to scan S3 object CONTENTS for sensitive data (SSNs, credit cards, passwords, etc.). Automated discovery mode continuously scans new/modified objects. It reports exactly which objects contain PII and where. Config only checks bucket-level settings (encryption enabled), not content. GuardDuty detects threats, not data classification.

Question 4:

After GuardDuty detects suspicious API calls from an IAM user’s access keys, a security analyst needs to understand: what other resources did this user access in the last 30 days? What was their normal behavior pattern vs current anomaly? Which service provides this investigation capability?

  1. CloudTrail Lake with SQL queries
  2. Amazon Detective with entity behavior graphs
  3. Security Hub finding details
  4. CloudWatch Logs Insights
Show Answer

Answer: B — Detective builds behavior graphs from 12 months of data (CloudTrail, VPC Flow Logs, GuardDuty findings). It visualizes entity relationships and timelines, shows normal vs anomalous behavior patterns, and identifies what resources an entity accessed. You can pivot directly from a GuardDuty finding to Detective for investigation. CloudTrail Lake provides raw query capability but not behavioral analysis or visualization.

Question 5:

A company uses Security Hub with CIS AWS Foundations Benchmark. They want non-compliant findings to be automatically remediated (e.g., disable unused access keys, enable S3 encryption). What is the recommended automation architecture?

  1. Security Hub → SNS → manual review → manual fix
  2. Security Hub → EventBridge rules (filter by finding type) → SSM Automation documents (remediation)
  3. AWS Config auto-remediation rules for each check
  4. Lambda scheduled to scan Security Hub findings hourly and fix them
Show Answer

Answer: B — Security Hub sends findings to EventBridge in real-time. EventBridge rules filter by finding type (e.g., “CIS.1.4 – Access keys rotated”) and trigger SSM Automation documents that perform the remediation. This is event-driven, immediate, and scalable. Config auto-remediation (C) also works for Config-native rules but Security Hub aggregates findings from multiple sources beyond just Config.

Related Architecture Patterns

Related Posts

References

Frequently Asked Questions

What is the difference between GuardDuty and Inspector?

GuardDuty detects active threats and malicious behavior (someone attacking you NOW — C2 communication, brute force, cryptocurrency mining). Inspector finds vulnerabilities that COULD be exploited (unpatched CVEs, misconfigured software). GuardDuty = “you’re being attacked.” Inspector = “you’re vulnerable to attack.”

Do I need both Security Hub and GuardDuty?

Yes — they serve different roles. GuardDuty is a detection engine that generates findings. Security Hub is an aggregation and management platform that collects findings from GuardDuty AND Inspector, Macie, Config, Firewall Manager, and third-party tools. Security Hub provides the unified dashboard, compliance scoring, and automated action triggers.

What is the delegated administrator pattern?

Instead of managing security services from the management account (which should have minimal workloads), you designate a Security Tooling account as delegated admin for GuardDuty, Security Hub, Inspector, and Macie. This account manages security across all org members without needing access to the management account.

Posted in AWS

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.