Monitoring & Alerting¶
Goal¶
Detect threats, operational issues, and abnormal security activity.
Core Services¶
| Service | Purpose |
|---|---|
| CloudWatch | Metrics, alarms, dashboards |
| GuardDuty | Threat detection |
| Security Hub | Aggregate findings |
| Security Lake | Centralized security data |
| Macie | Sensitive data detection |
Detection Flow¶
Resources → CloudWatch → GuardDuty → Security Hub → EventBridge → Notifications
What To Know¶
CloudWatch¶
- Metrics
- Alarms
- Dashboards
- Metric filters
- Composite alarms
GuardDuty¶
- Threat intelligence
- Malware detection
- Runtime monitoring
Security Hub¶
- Central findings
- Cross-account aggregation
Security Lake¶
- OCSF normalization
Macie¶
- Sensitive data alerts
Exam Trigger Words¶
"anomalous activity" → GuardDuty
"dashboard" → CloudWatch
"single pane of glass" → Security Hub
Common Trap¶
GuardDuty detects.
Security Hub aggregates.
Security Lake stores.