1.6 GuardDuty, Inspector, Macie, and Security Hub
Key Takeaways
- Amazon GuardDuty uses machine learning on CloudTrail, VPC Flow Logs, and DNS logs to detect threats with one-click, agentless enablement.
- Amazon Inspector continuously scans EC2 instances, ECR container images, and Lambda functions for CVE vulnerabilities and network exposure.
- Amazon Macie uses machine learning to discover and classify sensitive data such as PII and financial data in Amazon S3.
- AWS Security Hub aggregates and normalizes findings from GuardDuty, Inspector, Macie, and partners against standards like CIS and PCI DSS.
- All four are detective controls — they find issues but do not remediate; pair them with EventBridge and Lambda for automated response.
Quick Answer: GuardDuty = ML threat detection from logs. Inspector = vulnerability (CVE) scanning of EC2, containers, and Lambda. Macie = sensitive-data discovery in S3. Security Hub = the aggregation dashboard. All are detective — they find problems but do not fix them; automate response with EventBridge + Lambda.
Amazon GuardDuty
GuardDuty continuously analyzes log telemetry with machine learning and threat-intelligence feeds. It is agentless and enabled with one click.
| Data Source | What It Analyzes |
|---|---|
| CloudTrail management events | API calls (who/what/when) |
| CloudTrail S3 data events | Object-level S3 access |
| VPC Flow Logs | Network traffic patterns |
| DNS logs | Suspicious domain lookups |
| EKS audit logs | Kubernetes API activity |
| RDS login activity / Lambda network / Runtime Monitoring | Brute force, anomalous egress, process activity |
Typical findings: cryptocurrency mining, compromised credentials (API calls from unusual geographies), data exfiltration, port-scanning reconnaissance, and malware on instances. Findings carry a severity (Low/Medium/High) and stream to EventBridge for automated containment (for example, isolating an instance via a Lambda function).
Amazon Inspector
Amazon Inspector automatically and continuously scans workloads for software vulnerabilities and unintended network reachability — no manual scan trigger needed.
| Feature | Detail |
|---|---|
| Targets | EC2 instances, ECR container images, Lambda functions |
| Finds | Known CVEs, network-reachability exposure |
| Mechanism | Uses the SSM Agent (preinstalled on most AMIs) |
| Scoring | Inspector risk score prioritizes by exploitability and exposure |
| Routes to | Security Hub, EventBridge, S3 export |
On the Exam: "Scan EC2 or container images for known software vulnerabilities (CVEs)" → Inspector (not GuardDuty, which watches runtime/log behavior).
Amazon Macie
Amazon Macie discovers, classifies, and protects sensitive data in Amazon S3 using ML and managed data identifiers.
| Feature | Detail |
|---|---|
| Discovers | PII (names, SSNs, card numbers), PHI, financial data, credentials |
| Scope | S3 buckets, scheduled or on-demand jobs |
| Also flags | Public buckets, unencrypted buckets, externally shared buckets |
| Routes to | Security Hub, EventBridge |
On the Exam: Any mention of personally identifiable information (PII) in S3 → Macie.
AWS Security Hub
Security Hub is the single pane of glass that ingests and normalizes findings into the AWS Security Finding Format (ASFF).
| Feature | Detail |
|---|---|
| Aggregates | GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, partners |
| Standards | CIS AWS Foundations, PCI DSS, AWS Foundational Security Best Practices, NIST |
| Checks | Continuous automated compliance scoring |
| Multi-account | Org-wide aggregation via a delegated administrator |
| Routes to | EventBridge for automated workflows |
Scenario-to-Service Map
| Scenario Keyword | Service |
|---|---|
| Cryptomining / compromised credentials | GuardDuty |
| Software CVEs on EC2 or container images | Inspector |
| PII discovery in S3 | Macie |
| Centralized findings + CIS/PCI scoring | Security Hub |
| Automated remediation of a finding | EventBridge + Lambda |
Common Trap: None of these four services remediate automatically. If a question asks how to automatically respond to a finding, the answer pairs the detective service with EventBridge triggering Lambda or Systems Manager Automation.
Detective vs. Preventive vs. Responsive
The exam expects you to classify controls. Preventive controls stop bad actions before they happen — SCPs, security groups, NACLs, IAM policies, WAF rules. Detective controls find problems after the fact — GuardDuty, Inspector, Macie, Config, CloudTrail, Security Hub. Responsive automation closes the loop — EventBridge rules invoking Lambda or Systems Manager Automation runbooks. A complete answer to "continuously detect threats and automatically contain them" is therefore a detective service (GuardDuty) plus a responsive pipeline (EventBridge → Lambda), never a single service.
How the Services Compose
These tools are designed to stack, and questions often combine them. A reference pattern: GuardDuty detects a compromised instance, Inspector confirms which unpatched CVE was exploited, Macie assesses whether the affected S3 data contained PII, and Security Hub aggregates all three findings into one normalized view scored against the AWS Foundational Security Best Practices and CIS standards. Config runs alongside to record exactly how the resource was configured at the time of the incident.
Recognizing that Security Hub is the aggregator — not a detector itself — prevents the common error of picking Security Hub when the task is actually detection.
Multi-Account Operation
All four support delegated administrator and org-wide aggregation through AWS Organizations, so a central Security Tooling account can view findings from every member account. This is the recommended enterprise pattern: enable GuardDuty, Inspector, Macie, and Security Hub org-wide, designate one security account as the delegated administrator, and route consolidated findings to that account's Security Hub.
Service-to-Telemetry Quick Reference
| Service | Primary Telemetry | One-Line Job |
|---|---|---|
| GuardDuty | CloudTrail, VPC Flow, DNS, EKS, RDS logins | Detect active threats |
| Inspector | EC2/ECR/Lambda software inventory | Find CVE vulnerabilities |
| Macie | S3 object content | Find sensitive data (PII) |
| Security Hub | Findings from the above + partners | Aggregate and score compliance |
Exam framing: Match the keyword — "mining/credentials" → GuardDuty, "CVE/patch" → Inspector, "PII in S3" → Macie, "single dashboard/CIS score" → Security Hub — then add EventBridge + Lambda if auto-remediation is required.
A security team must detect when EC2 instances are hijacked for cryptocurrency mining or contacted by command-and-control domains. Which service should they enable?
A compliance team must locate every S3 bucket that contains personally identifiable information. Which service is purpose-built for this?
After GuardDuty raises a high-severity finding, the company wants the offending instance isolated automatically with no human action. What design achieves this?