Wednesday, October 22, 2025

AWS - GuardDuty, Config & Security Hub



AWS GuardDuty

  • Type: Threat Detection Service (managed IDS/IPS-like).
  • What it does: Continuously monitors AWS accounts, workloads, and data stored in S3 for malicious activity or unauthorized behavior.

  • How it works:

    • Uses machine learning, anomaly detection, and threat intel feeds.
    • Detects issues like compromised IAM credentials, unusual API calls, port scans, cryptocurrency mining, data exfiltration, etc.
  • Integrations: Works with CloudWatch Events, Security Hub, EventBridge for automated remediation.
  • 👉 Think of it as your AWS security camera + alarm system.

AWS Config

  1. Type: Configuration & Compliance Monitoring.
  2. What it does: Tracks the state of AWS resources and ensures they comply with security and governance rules.
  3. Features:
    • Records configuration changes of resources (EC2, S3, IAM, VPC, etc.).
    • Lets you define rules (e.g., “S3 buckets must not be public”).
    • Provides audit trail of who changed what and when.
    • Helps with compliance (HIPAA, PCI, etc.).
  • 👉 Think of it as an auditor + recorder for your AWS resources.

AWS Security Hub

  1. Type: Centralized Security & Compliance Dashboard.
  2. What it does: Aggregates findings from multiple AWS services (GuardDuty, Inspector, Macie, Config, Firewall Manager, etc.) and even third-party security tools into one place.
  3. Features:
    • Provides a single-pane-of-glass view of security posture.
    • Runs compliance checks (CIS, PCI DSS, etc.).
    • Lets you automate responses via EventBridge or Lambda.
  • 👉 Think of it as a security command center that collects alerts from GuardDuty, Config, and others.

How They Work Together

  • GuardDuty Detects threats.
  • Config Ensures resources remain compliant.
  • Security Hub Aggregates findings from GuardDuty, Config, and others into a single dashboard.

Example:

  • GuardDuty detects a suspicious API call from an unusual IP.
  • Config checks and finds that the IAM role has overly permissive access.
  • Security Hub aggregates these findings → you see a clear incident in one place → trigger automated remediation with Lambda.

-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Node | Cluster Vs Worker Threads

Cluster: Multiple processes (scale app across CPU cores) Worker Threads: Multiple threads (handle CPU-heavy work inside one process) Cluster...

  • Web API Facts
    Web Api is REST based service on web works on http or https. REST - Representational State Transfer  Facts  Rest Facts Client-Server model: ...
  • Architecture - .NET Project Architecture Design Framework
    System development steps and phases  Requirement  🧭 Step 1: Understand the Business and Technical Requirements Tools 🧩 Step 2: Choose the ...
  • EF - N+1 Problem
     ✅ What is the N+1 Query Problem? The N+1 problem occurs when your code runs: 1 query to load a list of parent records + N additional q...