5.2.4. Threat Detection: GuardDuty, Inspector, Macie, and Security Hub

💡 First Principle: You cannot protect against threats you cannot see. A correctly configured IAM policy prevents unauthorized access — but what about legitimate credentials that are compromised? What about an EC2 instance making connections to known malware command-and-control servers? Threat detection services analyze behavior and configuration continuously to surface these threats before they escalate.

The four services each target a different threat vector — understanding which does what is the core exam skill for this subsection.

Service Roles — One-Line Summaries:

Amazon GuardDuty:

GuardDuty is a regional threat detection service that uses machine learning to identify unusual and potentially malicious behavior. It analyzes:

• CloudTrail management events (unusual API calls, API calls from Tor exit nodes)
• VPC Flow Logs (port scanning, data exfiltration patterns)
• DNS logs (queries to known malicious domains)
• S3 data events (unusual S3 access patterns)

GuardDuty finding severity: Low, Medium, High. Findings include the threat type, affected resource, actor details, and evidence.

Common GuardDuty finding types:

• UnauthorizedAccess:EC2/SSHBruteForce — brute force SSH attempts
• CryptoCurrency:EC2/BitcoinTool.B!DNS — crypto mining malware
• Trojan:EC2/PhishingDomainRequest — malware C2 communication
• CredentialAccess:IAMUser/AnomalousBehavior — unusual API activity from IAM user

Amazon Inspector:

Inspector identifies software vulnerabilities and unintended network exposure:

• EC2: Scans running instances for OS vulnerabilities using SSM Agent; identifies open network paths
• ECR container images: Scans images on push for known CVEs in OS and application packages
• Lambda functions: Scans function code and layers for vulnerabilities

Inspector findings include a risk score and remediation recommendations. Inspector integrates with Security Hub and can send findings to EventBridge for automated response.

Amazon Macie:

Macie uses ML to discover and protect sensitive data in S3:

• Discovers buckets with sensitive data (PII, financial data, credentials, health information)
• Identifies buckets with overly permissive access controls
• Generates findings for data access anomalies

AWS Security Hub:

Security Hub is the aggregation layer — it doesn't detect threats itself but collects findings from GuardDuty, Inspector, Macie, Config, IAM Access Analyzer, and third-party products into a single normalized view.

Security Hub also runs security standard checks (automated compliance rules):

• CIS AWS Foundations Benchmark
• AWS Foundational Security Best Practices
• PCI DSS
• NIST SP 800-53

For multi-account environments, designate an aggregator account. Security Hub in the aggregator collects findings from all member accounts, giving a single pane of glass for security posture.

⚠️ Exam Trap: GuardDuty, Inspector, Macie, and Security Hub must be explicitly enabled — they are not on by default. GuardDuty and Inspector also need to be enabled in every region you want covered (or use AWS Organizations delegated administrator to enable them organization-wide). A question asking "how did a threat go undetected for 6 months" often has the answer "GuardDuty was not enabled in the region where the EC2 instance was running."

Reflection Question: A security team wants a single dashboard showing: (1) EC2 instances running software with known CVEs, (2) S3 buckets containing credit card numbers, and (3) IAM credentials making API calls from unusual geographic locations. Which three AWS services provide each data point, and what service aggregates them all into one view?