Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
3.4.3.2. AWS Services for Identifying Security Vulnerabilities & Events (GuardDuty, Inspector, IAM Access Analyzer, Config)
3.4.3.2. AWS Services for Identifying Security Vulnerabilities & Events
Multiple AWS services detect different types of security issues. Knowing which service detects what is heavily tested.
| Service | Detects | Data Sources |
|---|---|---|
| GuardDuty | Threats: compromised instances, IAM anomalies, crypto mining | CloudTrail, VPC Flow Logs, DNS logs |
| Inspector | Vulnerabilities: CVEs in OS/packages | EC2 instances, ECR images, Lambda |
| Macie | Sensitive data exposure | S3 objects |
| Security Hub | Aggregates + standards compliance | All of the above + custom |
| Access Analyzer | Overly permissive access | IAM policies, resource policies |
| Detective | Investigation of findings | CloudTrail, VPC Flow Logs, GuardDuty |
GuardDuty finding types:
Recon:EC2/PortProbeUnprotectedPort— someone probing your open portsCryptoCurrency:EC2/BitcoinTool.B!DNS— instance communicating with crypto mining poolsUnauthorizedAccess:IAMUser/InstanceCredentialExfiltration— instance credentials used from outside AWS
Security Hub standards:
- AWS Foundational Security Best Practices: AWS-recommended security checks
- CIS AWS Foundations Benchmark: Industry-standard compliance checks
- PCI DSS: Payment card industry compliance
# Enable Security Hub with AWS Foundational standard
aws securityhub enable-security-hub \
--enable-default-standards
Exam Trap: GuardDuty detects threats but doesn't remediate them. Remediation requires EventBridge rules that trigger Lambda functions or SSM Automation. If the exam asks "which service automatically isolates a compromised instance?" — GuardDuty alone is not the answer. The answer is GuardDuty + EventBridge + Lambda (isolation logic).
Written byAlvin Varughese•Founder•15 professional certifications