Domain 1: Detection¶
Detection covers how to design, implement, monitor, alert, log, analyze, and troubleshoot security visibility across AWS accounts, workloads, and organizations.
This domain focuses on building the visibility layer required to identify security events, investigate suspicious activity, and support incident response.
What You Need to Know¶
For the AWS Certified Security Specialty exam, you should understand how to:
- Design monitoring and alerting solutions for AWS accounts and organizations
- Configure service and workload logging
- Aggregate security events across accounts and Regions
- Use AWS-native security services to detect anomalous behavior
- Build dashboards, metrics, and alerts
- Analyze logs with AWS services
- Troubleshoot missing, incomplete, or misconfigured logs
Topics in This Domain¶
Monitoring and Alerting¶
Design and implement metrics, alarms, dashboards, health checks, anomaly detection, and security alerts.
Focus areas:
- Amazon CloudWatch metrics and alarms
- AWS Health events
- EventBridge rules
- Security Hub findings
- GuardDuty alerts
- Macie findings
- Centralized alerting patterns
Logging and Observability¶
Design and implement logging strategies for AWS services, applications, workloads, and network activity.
Focus areas:
- AWS CloudTrail
- CloudTrail organization trails
- CloudTrail Lake
- CloudWatch Logs
- VPC Flow Logs
- Transit Gateway Flow Logs
- Route 53 Resolver query logs
- S3 server access logs and CloudTrail data events
- Centralized log storage
Security Analytics¶
Analyze, normalize, correlate, and investigate security events using AWS services.
Focus areas:
- Amazon Athena
- Amazon OpenSearch Service
- Amazon Security Lake
- AWS Security Hub
- Amazon Detective
- CloudWatch Logs Insights
- Amazon Managed Grafana
Detection Automation¶
Automate security detection, assessment, investigation, and response workflows.
Focus areas:
- EventBridge
- AWS Lambda
- AWS Systems Manager
- AWS Config rules
- AWS Config conformance packs
- Security Hub automation rules
- Step Functions
- Automated enrichment and notification patterns
Troubleshooting¶
Troubleshoot security monitoring, logging, and alerting solutions.
Focus areas:
- Missing CloudTrail events
- Missing CloudWatch logs
- Incorrect IAM permissions
- Misconfigured log destinations
- Broken subscription filters
- Incomplete organization logging
- Region-specific logging gaps
- Service-linked role issues
Core AWS Services¶
You should be comfortable with the following services for this domain:
- Amazon GuardDuty
- AWS Security Hub
- Amazon Security Lake
- Amazon Macie
- AWS CloudTrail
- AWS CloudTrail Lake
- Amazon CloudWatch
- AWS Config
- Amazon Detective
- Amazon Athena
- Amazon OpenSearch Service
- Amazon Managed Grafana
- Amazon VPC Flow Logs
Exam Tips¶
- CloudTrail records API activity. It does not replace workload logs.
- CloudTrail management events and data events are different.
- Organization trails help centralize logging across AWS accounts.
- GuardDuty detects threats but does not automatically block them.
- Security Hub aggregates findings and checks, but it is not a log analytics tool.
- Security Lake stores security data in OCSF format for analytics.
- Macie is focused on sensitive data discovery, especially in Amazon S3.
- VPC Flow Logs show network metadata, not packet payloads.
- Athena is commonly used to query logs stored in S3.
- Detective helps investigate relationships and activity after a finding.
Suggested Study Order¶
- Start with Monitoring and Alerting.
- Study Logging and Observability.
- Review Security Analytics.
- Learn Detection Automation patterns.
- Finish with Troubleshooting scenarios.