1.6 GuardDuty, Inspector, Macie, and Security Hub
Key Takeaways
- Amazon GuardDuty uses machine learning to analyze CloudTrail, VPC Flow Logs, and DNS logs for threat detection — enable it with one click.
- Amazon Inspector automatically scans EC2 instances and container images for software vulnerabilities and unintended network exposure.
- Amazon Macie uses machine learning to discover, classify, and protect sensitive data (PII, financial data) in S3 buckets.
- AWS Security Hub aggregates findings from GuardDuty, Inspector, Macie, and third-party tools into a centralized security dashboard.
- All four services are detective controls — they find issues but do NOT automatically remediate them (use EventBridge + Lambda for automated remediation).
GuardDuty, Inspector, Macie, and Security Hub
Quick Answer: GuardDuty = threat detection (analyzing logs with ML). Inspector = vulnerability scanning (EC2 + containers). Macie = sensitive data discovery in S3. Security Hub = centralized dashboard for all findings. These are all detective controls — they find problems but do not fix them automatically.
Amazon GuardDuty
GuardDuty is an intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior.
Data Sources
| Source | What It Analyzes |
|---|---|
| CloudTrail Management Events | API calls (who did what, when) |
| CloudTrail S3 Data Events | S3 object-level operations |
| VPC Flow Logs | Network traffic patterns |
| DNS Logs | DNS queries from EC2 instances |
| EKS Audit Logs | Kubernetes API server audit logs |
| Lambda Network Activity | Network activity from Lambda functions |
| RDS Login Activity | Database login attempts |
| Runtime Monitoring | Process-level activity on ECS/EKS/EC2 |
What GuardDuty Detects
- Cryptocurrency mining on EC2 instances
- Compromised credentials (unusual API calls from unexpected locations)
- Data exfiltration (unusual outbound data transfer)
- Port scanning and reconnaissance
- Malware on EC2 instances
- Unauthorized access attempts
Key Characteristics
- One-click enablement — no agents, no infrastructure to deploy
- Machine learning — establishes baselines and detects anomalies
- Findings — categorized by severity (Low, Medium, High)
- Integration — sends findings to EventBridge for automated remediation
- Multi-account — manage across an organization via delegated administrator
Amazon Inspector
Amazon Inspector automatically discovers and scans workloads for software vulnerabilities and unintended network exposure.
| Feature | Detail |
|---|---|
| Targets | EC2 instances, container images (ECR), Lambda functions |
| Scanning | Continuous and automatic (no manual trigger needed) |
| Vulnerabilities | CVE database, CIS benchmarks, network reachability |
| Agent | Uses SSM Agent (pre-installed on most AMIs) |
| Findings | Prioritized by severity with remediation guidance |
| Integration | EventBridge, Security Hub, S3 export |
Amazon Macie
Amazon Macie discovers and protects sensitive data stored in S3.
| Feature | Detail |
|---|---|
| Discovers | PII (names, SSNs, credit cards), PHI, financial data, credentials |
| Uses | Machine learning and pattern matching |
| Scans | S3 buckets (automated and on-demand) |
| Alerts | Findings classified by severity |
| Integration | EventBridge, Security Hub |
On the Exam: "Discover personally identifiable information (PII) in S3 buckets" → Amazon Macie.
AWS Security Hub
Security Hub provides a comprehensive view of your security state across AWS accounts.
| Feature | Detail |
|---|---|
| Aggregates findings from | GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer, + third-party |
| Compliance standards | CIS AWS Foundations, PCI DSS, AWS Foundational Security Best Practices |
| Automated checks | Continuous compliance checks against standards |
| Cross-account | Aggregate findings from all accounts in an organization |
| Integration | EventBridge for automated workflows |
When to Use Each Service
| Scenario | Service |
|---|---|
| "Detect compromised EC2 instances mining cryptocurrency" | GuardDuty |
| "Scan EC2 instances for software vulnerabilities (CVEs)" | Inspector |
| "Find PII data in S3 buckets" | Macie |
| "Centralized security findings dashboard" | Security Hub |
| "Detect unusual API calls from compromised credentials" | GuardDuty |
| "Automated compliance checks against CIS benchmarks" | Security Hub |
| "Scan container images for vulnerabilities" | Inspector |
A company needs to detect if any EC2 instances in their account are being used for cryptocurrency mining. Which service should they enable?
A compliance team needs to discover all S3 buckets containing personally identifiable information (PII). Which service should they use?