2. Detection (16%)

Detection is the foundation of every security operation — without visibility into what's happening across your AWS environment, you're flying blind. A perfectly configured IAM policy means nothing if nobody notices when an attacker bypasses it. Think of detection like the nervous system of your security architecture: it doesn't prevent injuries, but without it, you can't feel pain, and you won't know you're hurt until the damage is catastrophic. This phase covers three interconnected capabilities: monitoring and alerting (knowing something is wrong), logging (having the evidence to understand what happened), and troubleshooting (fixing gaps in your detection coverage).

The First Principle is that continuous, automated detection across all layers of your AWS environment — identity, network, compute, data, and configuration — provides the visibility required to identify threats before they cause irreversible damage.

Scenario: An attacker gains access to temporary credentials from a compromised EC2 instance. They use the credentials to enumerate S3 buckets, exfiltrate data, and create new IAM users for persistent access — all while your team is unaware because GuardDuty is only enabled in one Region.

Reflection Question: How does a comprehensive detection strategy — spanning logging, monitoring, and alerting — reduce the time between compromise and discovery from months to minutes?