Skip to main content
Skip to main content
Still in beta — questions, comments or suggestions? aramb@aramb.dev
Cloud Fundamentals

AWS Security Services Landscape

Build a mental map of AWS security services: GuardDuty, Inspector, Macie, Security Hub, Detective, and Firewall Manager — and know which one to pick for each scenario.

15 min
Introductory

The problem: too many security services

AWS offers a rich set of security services, and they can blur together. This lesson gives you a clear mental model: "If I need X, I use Y."

We will cover six services that frequently appear on the Cloud Practitioner exam:

  1. GuardDuty — threat detection
  2. Inspector — vulnerability scanning
  3. Macie — sensitive data discovery
  4. Security Hub — centralized findings
  5. Detective — investigation and visualization
  6. Firewall Manager — centralized WAF/Shield management

GuardDuty — threat detection

What it does: Continuously monitors your AWS environment for malicious activity and unauthorized behavior.

How it works: Analyzes multiple data sources:

  • CloudTrail management and data events
  • VPC Flow Logs
  • DNS query logs

GuardDuty uses threat intelligence feeds and machine learning to identify threats like:

  • Compromised EC2 instances communicating with known bad IPs
  • Unusual API call patterns suggesting stolen credentials
  • Cryptocurrency mining on your resources

Tip

Exam keyword: "threat detection" or "malicious activity" → GuardDuty

Inspector — vulnerability scanning

What it does: Automatically discovers and scans workloads for software vulnerabilities and unintended network exposure.

What it scans:

  • EC2 instances
  • Container images in Amazon ECR
  • Lambda functions

What it finds:

  • Known CVEs (Common Vulnerabilities and Exposures) in installed packages
  • Network reachability issues (ports unintentionally open to the internet)

Tip

Exam keyword: "vulnerability scanning" or "CVE" or "software vulnerabilities" → Inspector

Macie — sensitive data discovery

What it does: Uses machine learning and pattern matching to discover and protect sensitive data stored in Amazon S3.

What it finds:

  • Personally Identifiable Information (PII): names, addresses, SSNs, credit card numbers
  • Financial data, health records, credentials
  • Custom data identifiers you define

Where it looks: S3 buckets only.

Tip

Exam keyword: "sensitive data in S3" or "PII detection" → Macie

Security Hub — centralized findings

What it does: Aggregates, organizes, and prioritizes security findings from multiple AWS services and third-party tools into a single dashboard.

Feeds into Security Hub:

  • GuardDuty findings
  • Inspector findings
  • Macie findings
  • Firewall Manager findings
  • Third-party partner tools

Why it matters: Instead of checking six different consoles, Security Hub gives you one place to see and prioritize everything.

Tip

Exam keyword: "centralize security findings" or "single dashboard for security" → Security Hub

Detective — investigation and visualization

What it does: Helps you investigate and determine the root cause of security findings. After GuardDuty or Security Hub flags something, Detective helps you dig deeper.

How it works: Automatically collects log data and uses graph models to visualize relationships between resources, IP addresses, and AWS accounts over time.

Key distinction: Security Hub tells you what happened. Detective helps you understand why and how.

Tip

Exam keyword: "investigate security findings" or "root cause analysis" → Detective

Firewall Manager — centralized WAF/Shield management

What it does: Lets you centrally configure and manage WAF rules, Shield Advanced protections, and security group rules across multiple accounts in an AWS Organization.

Key use case: A company with 50 AWS accounts wants the same WAF rules applied everywhere — Firewall Manager does this from one place.

Note

Firewall Manager requires AWS Organizations. It is about centralized management of firewall-type protections, not about detecting threats or scanning for vulnerabilities.

The decision table

If you need to...Use this service
Detect threats and malicious activity across your accountGuardDuty
Scan EC2, containers, or Lambda for software vulnerabilitiesInspector
Find sensitive data (PII) in S3 bucketsMacie
See all security findings in one dashboardSecurity Hub
Investigate the root cause of a security findingDetective
Apply WAF/Shield rules across multiple accountsFirewall Manager

Tip

Print or screenshot this table. It is one of the highest-value references for the exam.

How they work together

GuardDuty ──┐
Inspector ──┼──→ Security Hub ──→ Detective
Macie ──────┘     (aggregate)     (investigate)

Firewall Manager → WAF/Shield rules across accounts
  1. GuardDuty, Inspector, and Macie each find different kinds of issues
  2. Security Hub collects and prioritizes all their findings
  3. Detective helps you investigate the most important findings
  4. Firewall Manager operates independently to enforce firewall rules at scale

Summary

  • GuardDuty = threat detection (CloudTrail, VPC Flow Logs, DNS)
  • Inspector = vulnerability scanning (EC2, ECR, Lambda)
  • Macie = sensitive data in S3 (PII detection)
  • Security Hub = centralized security findings dashboard
  • Detective = investigate and visualize root causes
  • Firewall Manager = manage WAF/Shield rules across accounts
  • Use the "If you need X, use Y" table to pick the right service

Quiz

Knowledge Check
1 / 5

Which AWS service detects threats by analyzing CloudTrail logs, VPC Flow Logs, and DNS logs?