Amazon GuardDuty is a tool that performs threat detection functions in your AWS infrastructure. This optional service is not turned on in your AWS account by default.
When GuardDuty is enabled, it actively monitors the following:
AWS CloudTrail management events
AWS CloudTrail S3 data events
VPC flow logs
DNS logs
A feature called GuardDuty for S3 also can be enabled for an additional cost. To enable this feature, you must also enable the standard GuardDuty. However, because GuardDuty can access S3 logs that are stored in CloudTrail, this extra protection may not be necessary.
Costs for GuardDuty are based on the number of events (per million) that are monitored. For logs, the cost is based on per gigabyte per month.
There are several key features for Amazon GuardDuty, including the following:
Account-level threat detection to determine whether AWS accounts may have been compromised
The ability to create automated threat response actions
Monitoring of potential reconnaissance attempts
Monitoring of possible EC2 instance compromises
Monitoring of possible S3 bucket compromises
Amazon Inspector is a tool that helps you determine security vulnerabilities on applications that you deploy on an EC2 instance within AWS. For example, you might deploy an application on an EC2 instance and want to know whether your application has any potential security risks.
To use Amazon Inspector, you first install an agent on the EC2 instance. Two types of assessments can be configured: network assessments and host assessments. Network assessments are used to determine which network ports of your instance are available from outside of your VPC. Host assessments include the following:
Assessments based on Common Vulnerabilities and Exposures (CVEs)
Assessments based on host-hardening benchmarks from the Center for Internet Security (CIS)
Assessments based on security best practices, such as whether a root login via SSH is permitted or password complexity rules are in place
You do not need to install the Inspector Agent on the EC2 instance if you just want to perform network assessments. However, if you do, the corresponding service that uses the port is reported.
The Amazon Inspector assessment checks report issues based on how severe they are. The following severity levels are used:
High: An alert that indicates a problem that is very likely to result in a security vulnerability. An example would be incorrect permissions on system directories.
Medium: An alert that is not critical but still urgent enough to warrant a review. An example would be not having password complexity rules in place.
Low: An alert that is not as urgent but should be addressed soon. The recommended way of handling these alerts is to address them the next time the service is updated.
Informational: Occasionally, Amazon Inspector provides an information alert. This doesn’t indicate a current issue with the security of your system but might be something to consider when your security policy is reviewed.
The AWS Security Hub allows you to execute security checks across your AWS environment automatically. It also allows you to gather alerts from the following security policies into a central view:
Amazon GuardDuty
Amazon Inspector
IAM Access Analyzer
Amazon Macie
IAM Firewall Manager
Amazon System Manager
In-depth knowledge of some of the services that the AWS Security Hub can gather alerts from, such as Amazon Macie, are not specific exam requirements. However, you should be aware that the AWS Security Hub can gather alerts from these services.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
