Wednesday, October 22, 2025

AWS - GuardDuty, Config & Security Hub

 AWS GuardDuty

  • Type: Threat Detection Service (managed IDS/IPS-like).

  • What it does: Continuously monitors AWS accounts, workloads, and data stored in S3 for malicious activity or unauthorized behavior.

  • How it works:

    • Uses machine learning, anomaly detection, and threat intel feeds.

    • Detects issues like compromised IAM credentials, unusual API calls, port scans, cryptocurrency mining, data exfiltration, etc.

  • Integrations: Works with CloudWatch Events, Security Hub, EventBridge for automated remediation.

👉 Think of it as your AWS security camera + alarm system.

AWS Config

  • Type: Configuration & Compliance Monitoring.

  • What it does: Tracks the state of AWS resources and ensures they comply with security and governance rules.

  • Features:

    • Records configuration changes of resources (EC2, S3, IAM, VPC, etc.).

    • Lets you define rules (e.g., “S3 buckets must not be public”).

    • Provides audit trail of who changed what and when.

    • Helps with compliance (HIPAA, PCI, etc.).

👉 Think of it as an auditor + recorder for your AWS resources.

AWS Security Hub

  • Type: Centralized Security & Compliance Dashboard.

  • What it does: Aggregates findings from multiple AWS services (GuardDuty, Inspector, Macie, Config, Firewall Manager, etc.) and even third-party security tools into one place.

  • Features:

    • Provides a single-pane-of-glass view of security posture.

    • Runs compliance checks (CIS, PCI DSS, etc.).

    • Lets you automate responses via EventBridge or Lambda.

👉 Think of it as a security command center that collects alerts from GuardDuty, Config, and others.

How They Work Together

  • GuardDutyDetects threats.

  • ConfigEnsures resources remain compliant.

  • Security HubAggregates findings from GuardDuty, Config, and others into a single dashboard.

Example:

  • GuardDuty detects a suspicious API call from an unusual IP.

  • Config checks and finds that the IAM role has overly permissive access.

  • Security Hub aggregates these findings → you see a clear incident in one place → trigger automated remediation with Lambda.

-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

CI/CD - Safe DB Changes/Migrations

Safe DB Migrations means updating your database schema without breaking the running application and without downtime . In real systems (A...

  • Understanding XML Schema - XSD
    XML Schema - An XML schema describes the structure of an XML document. XML schema language also referred as XML schema definition(XSD). ...
  • Architecture - Some Important Concepts of DDD
    ✅ 1. Domain Events Domain events model things that happen inside the domain and allow other parts of the system to react. Use cases Send em...
  • Web API Facts
    Web Api is REST based service on web works on http or https. REST - Representational State Transfer  Facts  Rest Facts Client-Server model: ...