Domain 1 — Detection (16%)¶
Detect threats, aggregate findings, monitor workloads, analyze logs, and automate assessments.
1. Monitoring & Alerting¶
Core Services: - Amazon CloudWatch - Amazon GuardDuty - AWS Security Hub - Amazon Security Lake - Amazon Macie
Know: - Metrics - Alarms - Dashboards - Event aggregation - Findings - Threat detection - Anomaly detection
2. Logging¶
Core Services: - AWS CloudTrail - AWS CloudTrail Lake - Amazon CloudWatch - Amazon VPC Flow Logs - Amazon Route 53 Resolver DNS Firewall
Know: - Organization trails - Central logging - Retention - Log ingestion - Cross-account logging
3. Log Storage & Analytics¶
Core Services: - Amazon Security Lake - Amazon Athena - Amazon OpenSearch Service - Amazon Managed Grafana - AWS Lambda
Know: - OCSF - Query logs - Correlation - Visualization - SIEM integration
4. Detection Automation¶
Core Services: - AWS Config - AWS Systems Manager - AWS Security Hub - AWS Lambda
Know: - Conformance packs - Auto remediation - Compliance checks - Scheduled assessments
5. Troubleshooting Detection¶
Core Services: - Amazon CloudWatch - AWS Lambda - Amazon API Gateway - Amazon CloudFront
Know: - Missing logs - Agent failures - Permissions - Health checks
Most Important Comparisons¶
| If question says | Service |
|---|---|
| Threat detection | GuardDuty |
| Sensitive data discovery | Macie |
| Central findings | Security Hub |
| Log storage | Security Lake |
| Audit trail | CloudTrail |
| Search logs | Athena |
| Visualization | Grafana |
| Compliance | Config |
| Metrics & alarms | CloudWatch |
Detection Flow¶
CloudTrail → Security Lake → Security Hub → GuardDuty → EventBridge → Lambda → Notification
Exam Weight¶
16%