0PricingLogin
AWS Solutions Architect · Lesson

GuardDuty, Inspector, and Macie

Enable GuardDuty for threat detection, run Inspector for vulnerability scanning on EC2 and Lambda, and discover sensitive data in S3 with Macie.

The Threat Detection Layer

Defence-in-depth security requires not just preventing attacks but also detecting threats that slip through. AWS provides three managed security detection services that work together: Amazon GuardDuty detects threats by analysing AWS account behaviour and network traffic. Amazon Inspector finds software vulnerabilities in compute resources. Amazon Macie discovers sensitive data (PII, financial records) in S3 and alerts when it is exposed. All three are fully managed, use machine learning, and integrate with AWS Security Hub for centralised visibility.

# Detective controls overview:
# GuardDuty:  Who is behaving suspiciously? (threat detection)
# Inspector:  What vulnerabilities exist in my compute? (CVE scanning)
# Macie:      Where is my sensitive data? (PII/PCI discovery)

# All three:
# - Fully managed (no agents for most features)
# - Machine learning-based analysis
# - Send findings to Security Hub
# - Integrate with EventBridge for automated response

Amazon GuardDuty: Intelligent Threat Detection

Amazon GuardDuty is a continuous threat detection service that analyses VPC Flow Logs, DNS logs, CloudTrail management events, and S3 data events using machine learning, anomaly detection, and integrated threat intelligence feeds (IP reputation lists, known malicious domains). GuardDuty is agentless — you enable it in your account and it immediately starts analysing existing logs. No infrastructure to manage, no log storage costs (GuardDuty consumes the logs directly from AWS). It surfaces findings categorised by threat type: UnauthorizedAccess, CryptoCurrency, Backdoor, Trojan, and more.

# Enable GuardDuty
aws guardduty create-detector \
  --enable \
  --finding-publishing-frequency FIFTEEN_MINUTES

# List GuardDuty findings
aws guardduty list-findings \
  --detector-id <detector-id> \
  --finding-criteria '{
    "Criterion": {
      "severity": {"Gte": 7}
    }
  }'

# High severity (7-10) examples:
# UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
# CryptoCurrency:EC2/BitcoinTool.B
# Backdoor:EC2/C&CActivity.B

All lessons in this course

  1. KMS, ACM, and Encryption Patterns
  2. GuardDuty, Inspector, and Macie
  3. Secrets Manager and Parameter Store
  4. WAF, Shield, and Network Firewall
← Back to AWS Solutions Architect