GuardDuty

Amazon GuardDuty

Amazon GuardDuty
~ Last updated on : ~ jayendrapatil

Amazon GuardDuty

  • Amazon GuardDuty is a threat detection service that continuously monitors the AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
  • is a continuous security monitoring service that analyzes and processes the following foundational data sources:
    • CloudTrail management event logs,
    • CloudTrail S3 data event logs,
    • DNS logs,
    • EKS audit logs,
    • VPC flow logs,
    • Amazon EBS volume data, and
    • Runtime activity from container workloads (Amazon EKS, Amazon ECS including Fargate, and Amazon EC2 instances).
  • uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within the AWS environment.
  • combines machine learning, anomaly detection, network monitoring, and malicious file discovery, utilizing both AWS-developed and industry-leading third-party sources to help protect workloads and data on AWS.
  • uses artificial intelligence (AI), machine learning (ML), and anomaly detection using both AWS and industry-leading threat intelligence to help protect AWS accounts, workloads, and data.
  • is a Regional service and is recommended to be enabled in all supported AWS Regions. This helps generate findings of unauthorized or unusual activity even in Regions not actively used.
  • does not look at historical data, it monitors only the activity that starts after it is enabled.
  • operates completely independent of the AWS resources and therefore has no impact on the performance or availability of the accounts or workloads.
  • GuardDuty supports
    • Suppression rules, allow the creation of very specific combinations of attributes to suppress findings. Supports wildcards (* and ?) and filtering on any finding field.
    • Trusted Entity Lists (previously Trusted IP Lists) for highly secure communication with the AWS environment. Now supports both IP addresses and domain names. Findings are not generated based on trusted entity lists.
    • Threat Entity Lists (previously Threat Lists) for known malicious IP addresses and domain names. Findings are generated based on threat entity lists.
  • Security findings are retained and made available through the GuardDuty console and APIs for 90 days, after which they are discarded.
  • Findings are assigned a severity (Critical, High, Medium, Low), and actions can be automated by integrating with Security Hub, EventBridge, Lambda, and Step Functions.
  • Amazon Detective is also tightly integrated with GuardDuty which helps perform deeper forensic and root cause investigations.
  • GuardDuty supports AWS PrivateLink (VPC endpoints) for private connectivity without traversing the public internet.
  • offers a 30-day free trial. After the free trial ends, cost is based on the volume of data analyzed.

Amazon GuardDuty

GuardDuty Protection Plans

  • GuardDuty offers multiple protection plans that can be independently enabled or disabled:
    1. Foundational GuardDuty – Core threat detection that cannot be disabled. Monitors CloudTrail management events, VPC Flow Logs, and DNS logs.
    2. S3 Protection – Monitors Amazon S3 data events for potential threats to data, such as data exfiltration and destruction.
    3. Runtime Monitoring – Monitors operating system-level events for EKS, ECS, and EC2 workloads using a GuardDuty security agent.
    4. EKS Audit Logs – Monitors Amazon EKS audit logs for potential threats to Kubernetes clusters.
    5. RDS Protection – Monitors RDS login activity for potential threats to databases. Supports Aurora MySQL, Aurora PostgreSQL (including Limitless Database), and RDS for PostgreSQL.
    6. Lambda Protection – Monitors Lambda function network activity for potential threats.
  • Each protection plan can be auto-enabled for new AWS Organizations accounts.
  • GuardDuty offers the flexibility to customize how new accounts inherit protection plans.

GuardDuty Extended Threat Detection

  • Introduced at AWS re:Invent 2024, Extended Threat Detection automatically detects multi-stage attacks that span data sources, multiple types of AWS resources, and time within an AWS account.
  • Uses sophisticated AI/ML algorithms trained at AWS scale to automatically correlate security signals and detect critical threats.
  • Enabled automatically for all GuardDuty accounts at no additional cost.
  • Correlates multiple events (called “Signals”) including API activities and GuardDuty findings to identify attack sequences.
  • Can detect weak signals that individually don’t present as clear threats but when combined reveal suspicious activity patterns.
  • Operates within a 24-hour rolling time window to detect in-progress or recent attacks.
  • All attack sequence findings are assigned Critical severity.
  • Attack sequence finding types include:
    • AttackSequence:S3/CompromisedData – Detects credential misuse leading to S3 data compromise.
    • AttackSequence:IAM/CompromisedCredentials – Detects multi-stage attacks using compromised IAM credentials.
    • AttackSequence:EKS/CompromisedCluster – Detects compromised EKS clusters (June 2025).
    • AttackSequence:EC2/CompromisedInstanceGroup – Detects compromised EC2 instance groups (December 2025).
    • AttackSequence:ECS/CompromisedCluster – Detects compromised ECS clusters (December 2025).
  • Enabling additional protection plans (S3 Protection, EKS Protection, Runtime Monitoring) widens the range of event sources and enables more comprehensive attack sequence detection.

GuardDuty Runtime Monitoring

  • Runtime Monitoring uses a lightweight GuardDuty security agent that adds visibility into runtime behavior including file access, process execution, command line arguments, and network connections.
  • Supports three resource types:
    • Amazon EKS – Uses an EKS add-on (aws-guardduty-agent) deployed on EKS clusters.
    • Amazon ECS (Fargate) – Monitors ECS workloads running on Fargate.
    • Amazon EC2 – Monitors EC2 instances using SSM-based agent deployment (GA March 2024).
  • Supports automated agent configuration that permits GuardDuty to install and manage the security agent automatically.
  • Supports inclusion/exclusion tags to control which resources get the security agent.
  • Detects threats such as crypto-mining, malicious file execution, suspicious shell creation, privilege escalation, reverse shells, and defense evasion techniques.
  • Supports Amazon EKS Auto Mode.

GuardDuty with Multiple Accounts

  • GuardDuty has multi-account management through AWS Organizations integration, which allows delegating an administrator account for the organization.
  • The delegated administrator (DA) account is a centralized account that consolidates all findings and can configure all member accounts.
  • Supports up to 50,000 member accounts through AWS Organizations (including up to 5,000 by invitation).
  • All security findings are aggregated to the administrator account for review and remediation.
  • EventBridge events are also aggregated to the administrator account.
  • Organization configuration allows auto-enabling GuardDuty and protection plans for ALL accounts, new accounts only, or no auto-enable.

GuardDuty Automated Remediation

  • GuardDuty security findings can be remediated automatically using EventBridge and AWS Lambda.
  • For example, a Lambda function can be created to modify the AWS security group rules based on security findings. For a GuardDuty finding indicating one of your EC2 instances is being probed by a known malicious IP, the address can be added through an EventBridge rule, initiating a Lambda function to automatically modify the security group rules and restrict access on that port.
  • Findings are exported to Amazon S3 for long-term storage and analysis.
  • Integrates with AWS Security Incident Response for automated triage and investigation.

GuardDuty Malware Protection

  • GuardDuty Malware Protection includes three capabilities:

Malware Protection for EC2

  • Scans EBS volumes attached to EC2 instances and container workloads for malware.
  • Creates a replica EBS volume from a snapshot and scans it for trojans, worms, crypto miners, rootkits, bots, and more.
  • Supports two scan types:
    • GuardDuty-initiated – Automatically triggered when certain GuardDuty findings are generated.
    • On-demand – Manually initiated by providing the EC2 instance ARN.
  • Supports scanning EBS volumes up to 2048 GB.
  • Supports scanning EBS volumes encrypted with AWS managed keys.
  • Supports Amazon EKS Auto Mode managed instances.

Malware Protection for S3

  • Launched June 2024, provides built-in malware scanning for objects uploaded to designated S3 buckets.
  • Automatically scans newly uploaded objects using multiple AWS-developed and industry-leading third-party malware scanning engines.
  • Supports on-demand scanning of existing S3 objects via the SendObjectMalwareScan API (November 2025).
  • Supports scanning objects up to 100 GB (increased from 5 GB in July 2025).
  • Publishes scan results to EventBridge for downstream workflows (e.g., quarantine to a separate bucket).
  • Can add tags to scanned objects indicating scan status.
  • GuardDuty automatically updates malware signatures every 15 minutes.

Malware Protection for AWS Backup

  • Launched November 2025, detects the potential presence of malware in backup resources.
  • Scans AWS Backup-protected resources including Amazon EBS snapshots, EC2 AMIs, and Amazon S3 Recovery Points.
  • Supports full and incremental scans.
  • Helps identify the last known clean backup for recovery.
  • Can automate malware scanning across the entire organization.

GuardDuty AI Workload Protection

  • Launched August 2024, GuardDuty foundational threat detection and Lambda Protection help detect threats to AI workloads built on AWS.
  • Detects when Amazon Bedrock model invocation logging is disabled (DefenseEvasion:IAMUser/BedrockLoggingDisabled finding type, November 2025).
  • Monitors for unauthorized access to AI/ML resources and data exfiltration attempts.

GuardDuty Custom Threat Detection

  • GuardDuty introduced custom Entity Lists (August 2025) that support both IP addresses and domain names for custom threat detection.
  • Replaces the legacy IP-only threat lists with more comprehensive entity-based lists.
  • Supports:
    • Trusted Entity Lists – IP addresses and domain names to suppress findings.
    • Threat Entity Lists – Known malicious IP addresses and domain names to generate findings.
  • Only the GuardDuty administrator account can manage entity lists; settings apply automatically to member accounts.
  • GuardDuty recommends using entity lists over the legacy IP address lists.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which AWS service makes detecting and reporting unexpected and potentially malicious activity in your AWS environment easy?
    1. AWS Shield
    2. AWS Inspector
    3. AWS GuardDuty
    4. AWS WAF
  2. A company needs to detect multi-stage attacks that span multiple AWS services and resources over time. Which GuardDuty capability should they rely on?
    1. GuardDuty Malware Protection
    2. GuardDuty Runtime Monitoring
    3. GuardDuty Extended Threat Detection
    4. GuardDuty RDS Protection
  3. Which GuardDuty protection plan monitors operating system-level events on container and EC2 workloads? (Select TWO)
    1. Runtime Monitoring
    2. S3 Protection
    3. Lambda Protection
    4. EKS Audit Logs
    5. Malware Protection for EC2
  4. A company wants to scan S3 objects for malware when they are uploaded to a bucket. Which GuardDuty feature should they enable?
    1. GuardDuty Malware Protection for EC2
    2. GuardDuty Malware Protection for S3
    3. GuardDuty S3 Protection
    4. GuardDuty Extended Threat Detection
  5. What severity level do GuardDuty Extended Threat Detection attack sequence findings receive?
    1. High
    2. Critical
    3. Medium
    4. Varies based on the attack type
  6. A security team wants to add their own threat intelligence containing both malicious domains and IP addresses to GuardDuty. What should they use?
    1. Trusted IP Lists
    2. Threat Entity Lists
    3. Suppression Rules
    4. Custom Finding Types

References

AWS Security Services Cheat Sheet

AWS Identity and Security Services
~ Last updated on : ~ jayendrapatil

AWS Security Services Cheat Sheet

AWS Identity and Security Services

AWS IAM Identity Center (Successor to AWS SSO)

  • is a centralized workforce identity management service that provides single sign-on (SSO) access to multiple AWS accounts and business applications.
  • was renamed from AWS Single Sign-On (AWS SSO) in July 2022.
  • enables administrators to define, customize, and assign fine-grained access across AWS accounts and applications.
  • provides workforce users a portal to access AWS accounts and cloud applications assigned to them.
  • supports integration with external identity providers (IdPs) like Microsoft Active Directory, Okta, and Azure AD.
  • simplifies multi-account access management through AWS Organizations integration.
  • provides temporary credentials instead of long-term IAM user credentials.
  • supports attribute-based access control (ABAC) for fine-grained permissions.

Key Management Service – KMS

  • is a managed encryption service that allows the creation and control of encryption keys to enable data encryption.
  • provides a highly available key storage, management, and auditing solution to encrypt the data across AWS services & within applications.
  • uses hardware security modules (HSMs) that are FIPS 140-3 Security Level 3 certified (upgraded from FIPS 140-2 in May 2023).
  • seamlessly integrates with several AWS services to make encrypting data in those services easy.
  • supports multi-region keys, which are AWS KMS keys in different AWS Regions. Multi-Region keys are not global and each multi-region key needs to be replicated and managed independently.
  • supports External Key Store (XKS) capability (November 2022) allowing customers to store and control encryption keys on-premises or outside AWS cloud while using AWS KMS.
  • provides three key store options: Default KMS key store, CloudHSM custom key store, and External key store (XKS).
  • supports on-demand key rotation (April 2024) allowing immediate rotation of symmetric encryption keys without waiting for automatic rotation schedules, with a maximum of 10 on-demand rotations per key.
  • offers flexible automatic rotation periods (90 days to 2560 days) instead of the previous fixed annual rotation.
  • supports post-quantum cryptography:
    • ML-KEM hybrid post-quantum key exchange for TLS connections to KMS endpoints, protecting against “harvest now, decrypt later” attacks.
    • ML-DSA (FIPS 204) post-quantum digital signatures (June 2025) for quantum-resistant signing operations within FIPS 140-3 Level 3 certified HSMs.

CloudHSM

  • provides secure cryptographic key storage to customers by making hardware security modules (HSMs) available in the AWS cloud
  • helps manage your own encryption keys using FIPS 140-3 Level 3 validated HSMs (upgraded from FIPS 140-2).
  • single tenant, dedicated physical device to securely generate, store, and manage cryptographic keys used for data encryption
  • are inside the VPC (not EC2-classic) & isolated from the rest of the network
  • can use VPC peering to connect to CloudHSM from multiple VPCs
  • integrated with Amazon Redshift and Amazon RDS for Oracle
  • EBS volume encryption, S3 object encryption and key management can be done with CloudHSM but requires custom application scripting
  • is NOT fault-tolerant and would need to build a cluster as if one fails all the keys are lost
  • enables quick scaling by adding and removing HSM capacity on-demand, with no up-front costs.
  • automatically load balance requests and securely duplicates keys stored in any HSM to all of the other HSMs in the cluster.
  • launched hsm2m.medium instance type (August 2024) with FIPS 140-3 Level 3 certification, increased key storage (16,666 keys), higher elliptic curve performance, mTLS support, and non-FIPS cluster mode option.
  • deprecated hsm1.medium instance type — no new hsm1 clusters can be created as of April 2025; customers must migrate to hsm2m.medium.
  • expensive, prefer AWS Key Management Service (KMS) if cost is a criteria.

AWS Payment Cryptography

  • is a managed service for payment processing cryptographic operations (launched June 2023).
  • provides payment-specific HSMs that replace on-premises payment hardware security modules.
  • helps meet PCI (Payment Card Industry) security requirements and compliance needs.
  • supports cryptographic operations like PIN generation, validation, and credit/debit card security code processing.
  • manages underlying physical HSM infrastructure and key management automatically.
  • integrates with AWS IAM for authorization and AWS CloudTrail for auditing.
  • enables payment processing workloads to move to the cloud securely.
  • provides elastic scaling for payment cryptography operations.

AWS Private Certificate Authority (Private CA)

  • is a managed private certificate authority service for issuing and managing private SSL/TLS certificates.
  • removes upfront investment and ongoing maintenance costs of operating your own private CA.
  • supports two operating modes: General-purpose mode (certificates with any validity period) and Short-lived certificate mode (certificates valid up to 7 days, launched February 2023).
  • integrates with AWS Certificate Manager (ACM) for automated certificate provisioning and renewal.
  • supports Private CA Connector for Active Directory (September 2023) enabling AWS Private CA as drop-in replacement for self-managed enterprise CAs without local agents.
  • supports post-quantum ML-DSA digital certificates (November 2025) for transitioning PKI toward post-quantum cryptography.
  • provides audit and compliance support through AWS CloudTrail integration.
  • enables certificate-based authentication for services like Amazon WorkSpaces.

AWS WAF

  • is a web application firewall that helps monitor the HTTP/HTTPS traffic and allows controlling access to the content.
  • helps protect web applications from attacks by allowing rules configuration that allow, block, or monitor (count) web requests based on defined conditions. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.
  • helps define Web ACLs, which is a combination of Rules that is a combinations of Conditions and Action to block or allow
  • integrated with CloudFront, Application Load Balancer (ALB), API Gateway, Amazon Cognito, AWS App Runner, and AWS Verified Access.
  • supports custom origins outside of AWS, when integrated with CloudFront
  • provides AWS WAF Fraud Control with three capabilities:
    • Account Takeover Prevention (ATP) – Protects login pages against credential stuffing attacks
    • Account Creation Fraud Prevention (ACFP) – Detects and blocks automated bot-based account creation
    • Bot Control – Detects and controls common bots and targeted bots with a catalog of 650+ unique bots including AI crawlers, AI data collectors, AI assistants, and LLM training crawlers
  • supports Challenge and CAPTCHA actions for bot mitigation.
  • provides AI Activity Dashboard (February 2026) for visibility into AI bot and agent traffic patterns.
  • launched AI Traffic Monetization (June 2026), a Bot Control capability that lets content providers price, meter, and collect payment from AI bots and agents accessing their content and APIs via HTTP 402 Payment Required responses.
  • AWS WAF Classic reached end of support on September 30, 2025. All customers must use AWS WAF (v2).

AWS Verified Access

  • provides VPN-less, secure access to corporate applications (GA April 2023).
  • implements Zero Trust security model for application access without traditional VPN.
  • validates each application request against identity and device security requirements before granting access.
  • integrates with identity providers (IdPs) and device management systems for authentication and authorization.
  • uses Cedar policy language for fine-grained access control policies.
  • supports AWS WAF integration for additional web application protection.
  • provides signed identity context to end applications for additional security.
  • simplifies remote access management and improves user experience compared to VPN.
  • eliminates VPN infrastructure management overhead.

Amazon Verified Permissions

  • is a fully managed fine-grained authorization service for custom applications (GA June 2023).
  • uses Cedar, an open-source policy language released May 2023, for defining authorization policies.
  • enables developers to externalize authorization logic from application code.
  • provides centralized policy management and administration.
  • offers millisecond-latency authorization decisions with provably correct results.
  • supports policy validation using automated reasoning to prevent misconfigurations.
  • integrates with identity providers for user and group information.
  • enables fine-grained permissions based on user attributes, resource attributes, and context.
  • provides policy versioning and audit capabilities.
  • follows “explicit permit” and “forbid overrides permit” principles.

AWS Secrets Manager

  • helps protect secrets needed to access applications, services, and IT resources.
  • enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
  • secure secrets by encrypting them with encryption keys managed using AWS KMS.
  • offers native secret rotation with built-in integration for RDS, Redshift, and DocumentDB.
  • supports Lambda functions to extend secret rotation to other types of secrets, including API keys and OAuth tokens.
  • supports IAM and resource-based policies for fine-grained access control to secrets and centralized secret rotation audit for resources in the AWS Cloud, third-party services, and on-premises.
  • enables secret replication in multiple AWS regions to support multi-region applications and disaster recovery scenarios, automatically keeping replicas in sync including rotation.
  • launched Managed External Secrets (November 2025) — a new secret type enabling automatic rotation for third-party SaaS credentials (Salesforce, MongoDB Atlas, Confluent Cloud, Datadog, Snowflake) without custom Lambda rotation functions.
  • supports hybrid post-quantum TLS (ML-KEM) for protecting secrets against future quantum computing threats (April 2026).
  • supports private access using VPC Interface endpoints

AWS Shield

  • is a managed service that provides protection against Distributed Denial of Service (DDoS) attacks for applications running on AWS
  • provides protection for all AWS customers against common and most frequently occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks, and others to support high availability of applications on AWS.
  • provides AWS Shield Advanced with additional protections against more sophisticated and larger attacks for applications running on EC2, ELB, CloudFront, AWS Global Accelerator, and Route 53.
  • Shield Advanced provides 24/7 access to AWS Shield Response Team (SRT) and cost protection against DDoS-related spikes.
  • AWS Shield Network Security Director (preview) performs analysis of resources to visualize network topology, identify configuration issues, and provide actionable remediation recommendations.

AWS GuardDuty

  • offers threat detection that enables continuous monitoring and protects the AWS accounts and workloads.
  • is a Regional service
  • analyzes continuous streams of meta-data generated from AWS accounts and network activity found in AWS CloudTrail Events, EKS audit logs, VPC Flow Logs, and DNS Logs.
  • integrated threat intelligence
  • combines machine learning, anomaly detection, network monitoring, and malicious file discovery, utilizing both AWS-developed and industry-leading third-party sources to help protect workloads and data on AWS
  • supports suppression rules, trusted IP lists, and threat lists. Now supports custom entity lists (September 2025) with domain-based threat intelligence in addition to IP-based lists.
  • provides Malware Protection to detect malicious files on EBS volumes and S3 objects (on-demand scanning API).
  • provides EKS Runtime Monitoring using fully managed EKS add-on for visibility into container runtime activities (file access, process execution, network connections).
  • provides RDS Protection for profiling and monitoring access activity to Amazon Aurora databases.
  • provides Lambda Protection for monitoring AWS Lambda function invocations and runtime behavior.
  • can identify specific containers within EKS clusters that are potentially compromised and detect privilege escalation attempts.
  • launched Extended Threat Detection (December 2024) — AI/ML-powered attack sequence identification that detects multi-stage attacks spanning multiple AWS data sources and resources, including EC2 instances and ECS clusters on Fargate.
  • offers flexible protection plan configuration — new accounts can inherit protection plans automatically, and plans can be enabled/disabled independently.
  • operates completely independently from the resources so there is no risk of performance or availability impacts on the workloads.

Amazon Inspector

  • is a vulnerability management service that continuously scans the AWS workloads for vulnerabilities
  • automatically discovers and scans EC2 instances and container images residing in Elastic Container Registry (ECR) for software vulnerabilities and unintended network exposure.
  • supports AWS Lambda function scanning for vulnerabilities in application code and dependencies.
  • provides CI/CD integration with open-source plugins for Jenkins, TeamCity, and other CI/CD tools to scan container images at build time.
  • provides code security capabilities including static application security testing (SAST), software composition analysis (SCA), and infrastructure as code (IaC) scanning via SCM tool connections.
  • supports agentless EC2 scanning (March 2026) with expanded detection coverage including Windows OS vulnerability scanning without requiring an agent.
  • launched Inspector VM Scanner (May 2026) for improved agent-based scanning with more granular package collection and reduced CPU utilization on EC2 instances.
  • creates a finding, when a software vulnerability or network issue is discovered, that describes the vulnerability, rates its severity, identifies the affected resource, and provides remediation guidance.
  • is a Regional service.
  • Amazon Inspector Classic reached end of support on May 20, 2026. All customers must use Amazon Inspector (v2).

Amazon Security Lake

  • is a fully managed security data lake service (GA November 2023).
  • automatically centralizes security data from AWS environments, SaaS providers, on-premises, and cloud sources into a purpose-built data lake.
  • normalizes security data into the Open Cybersecurity Schema Framework (OCSF) standard format.
  • aggregates data from AWS services like CloudTrail, VPC Flow Logs, Route 53 logs, and third-party sources.
  • enables comprehensive security data analysis across entire organization.
  • automatically collects data for existing and new accounts with multi-account support.
  • stores security data in customer’s own AWS account for data ownership and control.
  • integrates with analytics tools like Amazon Athena, Amazon OpenSearch, and third-party SIEM solutions.
  • supports cross-region data aggregation for centralized security monitoring.
  • pricing based on data ingestion volume and normalization (no charge for third-party or custom data).

Amazon Detective

  • helps analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
  • automatically collects log data from the AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data to easily conduct faster and more efficient security investigations.
  • enables customers to view summaries and analytical data associated with CloudTrail logs, EKS audit logs, VPC Flow Logs.
  • provides finding groups that let you examine multiple activities related to a potential security event, analyze root cause for high severity GuardDuty findings, and visualize entity connections.
  • provides detailed summaries, analysis, and visualizations of the behaviors and interactions amongst your AWS accounts, EC2 instances, AWS users, roles, and IP addresses.
  • supports automated investigation of IAM users and roles for indicators of compromise (IoC).
  • maintains up to a year of aggregated data
  • is a Regional service and needs to be enabled on a region-by-region basis.
  • is a multi-account service that aggregates data from monitored member accounts under a single administrative account within the same region.
  • integrates with Amazon Security Lake for lateral movement investigations.
  • has no impact on the performance or availability of the AWS infrastructure since it retrieves the log data and findings directly from the AWS services.

AWS Security Hub

  • is a unified cloud security solution that prioritizes critical security issues and helps respond at scale to protect cloud environments.
  • was completely re-imagined at re:Invent 2025 — now unifies AWS security services including Amazon GuardDuty, Amazon Inspector, and Amazon Macie into a single experience.
  • provides near real-time risk analytics (GA December 2025) with automated correlation, enrichment, and prioritization of security signals from multiple sources.
  • collects security data from across AWS accounts, services, and supported third-party partner products.
  • is Regional but supports cross-region aggregation of findings.
  • automatically runs continuous, account-level configuration and security checks based on AWS best practices and industry standards including CIS Foundations, PCI DSS, and NIST frameworks.
  • detects unused IAM permissions, roles, and credentials (May 2026) across the AWS organization for identity risk reduction.
  • offers Security Hub Extended plan (2026) providing full-stack enterprise security with 21+ curated partner solutions across 9 security categories (endpoint, identity, email, network, data, browser, cloud, AI, security operations).
  • supports integration with Amazon EventBridge for custom actions and automated remediation.
  • has multi-account management through AWS Organizations integration, which allows delegating an administrator account for the organization.
  • works with AWS Config to perform most of its security checks for controls.

AWS Macie

  • Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks.
  • provides an inventory of the S3 buckets and automatically evaluates and monitors the buckets for security and access control.
  • automates the discovery, classification, and reporting of sensitive data.
  • supports automated sensitive data discovery that continuously samples and analyzes S3 objects, builds an interactive data map, and provides a sensitivity score for each bucket.
  • generates a finding for you to review and remediate as necessary if it detects a potential issue with the security or privacy of the data, such as a bucket that becomes publicly accessible.
  • can analyze objects encrypted with dual-layer server-side encryption (DSSE-KMS).
  • provides multi-account support using AWS Organizations to enable Macie across all of the accounts.
  • is a regional service and must be enabled on a region-by-region basis and helps view findings across all the accounts within each Region.
  • supports VPC Interface Endpoints to access Macie privately from a VPC without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

AWS Artifact

  • is a self-service audit artifact retrieval portal that provides customers with on-demand access to AWS’ compliance documentation and agreements.
  • can use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports.
  • supports listCustomerAgreements API (November 2024) for programmatic tracking of active agreements across accounts.
  • provides SOC reports in machine-readable OSCAL format in addition to PDF.

AWS Security Services – Practice Questions

  1. A company needs to manage encryption keys with FIPS 140-3 Level 3 compliance and wants AWS to handle the infrastructure. Which service should they use?
    • A. AWS CloudHSM
    • B. AWS KMS ✓
    • C. AWS Secrets Manager
    • D. AWS Certificate Manager
  2. A financial institution needs to process payment card transactions in the cloud while meeting PCI compliance requirements. Which service should they use?
    • A. AWS CloudHSM
    • B. AWS KMS
    • C. AWS Payment Cryptography ✓
    • D. AWS Private CA
  3. A company wants to provide secure access to corporate applications without using VPN. Which service implements Zero Trust access?
    • A. AWS Client VPN
    • B. AWS Verified Access ✓
    • C. AWS Direct Connect
    • D. AWS PrivateLink
  4. A development team needs to externalize authorization logic from their application and use fine-grained permissions. Which service should they use?
    • A. AWS IAM
    • B. Amazon Cognito
    • C. Amazon Verified Permissions ✓
    • D. AWS IAM Identity Center
  5. A company needs to centralize security data from multiple AWS accounts and third-party sources for analysis. Which service should they use?
    • A. AWS Security Hub
    • B. Amazon Security Lake ✓
    • C. Amazon Detective
    • D. AWS CloudTrail
  6. Which AWS service uses AI/ML to detect multi-stage attack sequences spanning multiple data sources and resources?
    • A. Amazon Inspector
    • B. AWS Security Hub
    • C. Amazon GuardDuty Extended Threat Detection ✓
    • D. Amazon Detective
  7. A company wants to scan EC2 instances for vulnerabilities without installing any agent. Which capability supports this?
    • A. AWS Config Rules
    • B. Amazon Inspector agentless scanning ✓
    • C. AWS Security Hub
    • D. Amazon GuardDuty
  8. Which AWS WAF capability allows content providers to charge AI bots for accessing their content?
    • A. AWS WAF Fraud Control
    • B. AWS WAF Bot Control
    • C. AWS WAF AI Traffic Monetization ✓
    • D. AWS Shield Advanced
  9. A company needs to automatically rotate third-party SaaS credentials without writing custom Lambda functions. Which feature supports this?
    • A. AWS Secrets Manager Managed External Secrets ✓
    • B. AWS Systems Manager Parameter Store
    • C. AWS KMS automatic rotation
    • D. AWS Config
  10. A security team wants a unified view that correlates findings from GuardDuty, Inspector, and Macie with near real-time risk analytics. Which service provides this?
    • A. Amazon Detective
    • B. Amazon Security Lake
    • C. AWS Security Hub ✓
    • D. AWS CloudTrail Lake
  11. An organization needs to protect their KMS encryption keys against future quantum computing threats. Which KMS feature should they use?
    • A. External Key Store (XKS)
    • B. Multi-Region keys
    • C. ML-KEM hybrid post-quantum TLS ✓
    • D. On-demand key rotation
  12. Which service was renamed from AWS Single Sign-On (SSO) in July 2022?
    • A. AWS IAM
    • B. Amazon Cognito
    • C. AWS IAM Identity Center ✓
    • D. AWS Directory Service

References

AWS Identity & Security Services Cheat Sheet

~ Last updated on : ~ jayendrapatil ~ 9 Comments

AWS Identity & Security Services Cheat Sheet

AWS Identity and Security Services

📌 Last Updated: June 2026 — Includes AWS Security Hub reimagined (re:Invent 2025), AWS Security Agent (GA March 2026), mandatory MFA enforcement for all root users, GuardDuty Extended Threat Detection, and IAM Identity Center multi-Region replication.

AWS Identity Services Cheat Sheet

AWS Security Services Cheat Sheet

AWS Identity & Security Services Overview

AWS Security, Identity, and Compliance services provide a comprehensive set of tools to help protect data, accounts, and workloads. These services are organized into the following categories:

Identity and Access Management

  • AWS Identity and Access Management (IAM) – Securely manage access to AWS services and resources using users, groups, roles, and policies
  • AWS IAM Identity Center (formerly AWS SSO) – Centrally manage SSO access to multiple AWS accounts and business applications
    • Now supports multi-Region replication (Feb 2026) for high availability
    • Supports IPv6 dual-stack endpoints
  • Amazon Cognito – Customer identity and access management (CIAM) for web and mobile apps
    • Now supports passwordless authentication with passkeys (FIDO2/WebAuthn), email OTP, and SMS OTP (Nov 2024)
    • New feature tiers: Essentials and Plus (Nov 2024)
    • Managed Login for pre-built authentication UIs
  • Amazon Verified Permissions – Scalable, fine-grained authorization using Cedar policy language for custom applications
  • AWS Resource Access Manager (RAM) – Securely share AWS resources across accounts and within AWS Organizations
  • AWS Directory Service – Managed Microsoft Active Directory in the AWS Cloud

Detection and Response

  • Amazon GuardDuty – Intelligent threat detection that continuously monitors for malicious activity
    • Extended Threat Detection (re:Invent 2024) – AI/ML-powered attack sequence identification across multiple data sources
    • Now covers EC2, ECS, EKS, S3, and IAM attack sequences
    • Custom entity lists for domain-based threat intelligence (Sept 2025)
  • Amazon Detective – Analyze, investigate, and identify root cause of security findings using ML and graph theory
  • Amazon Inspector – Automated vulnerability management for EC2 instances and container images in ECR
  • AWS Security Hub – Cloud security posture management (CSPM) and unified security operations
    • Reimagined at re:Invent 2025 – Unifies GuardDuty, Inspector, and other services into a single experience
    • Near real-time analytics and risk prioritization (GA Dec 2025)
    • Extended Plan (GA Feb 2026) – Full-stack enterprise security with 21 curated partner solutions across 9 categories
    • Expanding to multicloud environments
  • AWS Security Agent (GA March 2026) – AI-powered frontier agent for proactive application security
    • Automated security reviews tailored to organizational requirements
    • On-demand context-aware penetration testing
    • Full repository code scanning (Preview May 2026)
    • Operates like a human penetration tester – identifies, exploits, and validates vulnerabilities

Data Protection

Network and Application Protection

  • AWS WAF – Web application firewall to protect against common web exploits and bots
  • AWS Shield – Managed DDoS protection (Standard and Advanced tiers)
  • AWS Network Firewall – Managed network firewall for VPC with stateful inspection and IPS
  • AWS Firewall Manager – Centrally configure and manage firewall rules across accounts in AWS Organizations

Security Data Management and Compliance

  • Amazon Security Lake – Centralize security data from AWS, SaaS, on-premises using OCSF standard
    • Achieved FedRAMP High and Moderate authorization (April 2025)
  • AWS Audit Manager – Continuously audit AWS usage for risk and compliance assessment
  • AWS Artifact – On-demand access to AWS security and compliance reports

Key Updates (2024-2026)

  • MFA Enforcement (2024-2025) – AWS now mandates MFA for all root users across all account types. Prevents over 99% of password-related attacks.
  • AWS Security Hub Reimagined (re:Invent 2025) – Completely redesigned to unify security services into a single experience with near real-time analytics and AI-driven risk prioritization.
  • AWS Security Agent (GA March 2026) – First AI-powered frontier agent for autonomous application security testing and code scanning.
  • GuardDuty Extended Threat Detection (re:Invent 2024) – AI/ML attack sequence identification now covers EC2, ECS, EKS workloads.
  • IAM Identity Center Multi-Region (Feb 2026) – Replicate identity center configuration across multiple AWS Regions for high availability.
  • Amazon Cognito Passwordless (Nov 2024) – Native passkey support with FIDO2/WebAuthn, email OTP, and SMS OTP authentication.
  • Centralized Root Access Management (Nov 2024) – Centrally manage root credentials and perform privileged tasks across AWS Organizations member accounts.
  • Agentic AI Security Framework (2025) – New Agentic AI Security Scoping Matrix for securing autonomous AI systems.

AWS Certification Relevance

  • Solutions Architect (Associate/Professional) – IAM, VPC security, encryption, Security Hub, GuardDuty
  • Security Specialty – All services in depth, including Security Lake, Detective, Macie, Inspector
  • SysOps Administrator – Security Hub, Config, GuardDuty, IAM best practices
  • Developer Associate – Cognito, IAM roles, KMS, Secrets Manager
  • DevOps Professional – Security automation, Inspector, Security Hub integrations