Monitoring and Alerting¶
Overview¶
Monitoring and alerting are foundational security capabilities in AWS. Organizations must continuously monitor workloads, identities, network activity, API calls, and data access patterns to identify threats, operational issues, and compliance violations.
For the AWS Certified Security Specialty (SCS-C03) exam, monitoring and alerting questions often focus on selecting the correct AWS service to detect, aggregate, investigate, notify, or automate responses to security events.
Exam Objectives¶
You should be able to:
- Design monitoring solutions for AWS workloads
- Implement security-focused alerting strategies
- Aggregate findings across AWS accounts
- Detect anomalous behavior
- Build centralized monitoring architectures
- Automate alerts and responses
Core AWS Services¶
| Service | Primary Purpose |
|---|---|
| Amazon CloudWatch | Metrics, alarms, dashboards, logs |
| Amazon GuardDuty | Threat detection |
| AWS Security Hub | Centralized security findings |
| Amazon Security Lake | Centralized security data |
| Amazon Macie | Sensitive data discovery |
| Amazon Detective | Investigation and analysis |
| AWS Config | Configuration monitoring |
| Amazon EventBridge | Event routing and automation |
Typical Monitoring Architecture¶
flowchart LR
A[Workloads] --> B[CloudTrail]
A --> C[CloudWatch]
A --> D[VPC Flow Logs]
B --> E[GuardDuty]
C --> E
D --> E
E --> F[Security Hub]
F --> G[EventBridge]
G --> H[SNS]
G --> I[Lambda]
G --> J[Systems Manager]
Amazon CloudWatch¶
Purpose¶
Provides operational visibility through metrics, alarms, dashboards, logs, anomaly detection, and monitoring.
Security Use Cases¶
- Monitor root account usage
- Detect failed login attempts
- Track unusual API activity
- Alert on infrastructure anomalies
- Generate dashboards for security operations
Key Features¶
- Metrics
- Alarms
- Composite Alarms
- Dashboards
- Metric Filters
- CloudWatch Logs
- CloudWatch Logs Insights
- Anomaly Detection
Exam Tips¶
- CloudWatch stores metrics.
- CloudWatch Logs stores log events.
- Metric Filters can convert log events into metrics.
- Composite Alarms help reduce alert fatigue.
Amazon GuardDuty¶
Purpose¶
Threat detection service that continuously analyzes AWS data sources for malicious activity and suspicious behavior.
Data Sources¶
- AWS CloudTrail Management Events
- AWS CloudTrail Data Events
- VPC Flow Logs
- Route 53 DNS Logs
- EKS Audit Logs
- Malware Protection
Example Findings¶
- Credential compromise
- Cryptocurrency mining
- Port scanning
- Malware activity
- Suspicious API calls
Exam Tips¶
- GuardDuty detects threats.
- GuardDuty does not block threats.
- GuardDuty findings can be forwarded to Security Hub.
AWS Security Hub¶
Purpose¶
Provides a centralized view of security posture and findings across AWS accounts.
Features¶
- Security standards
- Compliance checks
- Cross-account aggregation
- Cross-region aggregation
- Centralized findings
Integrations¶
- GuardDuty
- Macie
- Inspector
- IAM Access Analyzer
- AWS Config
Exam Tips¶
- Security Hub aggregates findings.
- Security Hub is not a log analytics platform.
- Security Hub is often described as a "single pane of glass."
Amazon Security Lake¶
Purpose¶
Centralized security data lake built on Amazon S3.
Benefits¶
- OCSF normalization
- Centralized storage
- Multi-account visibility
- Long-term retention
- Security analytics integration
Integrations¶
- CloudTrail
- VPC Flow Logs
- Route 53 Resolver Logs
- GuardDuty
- Security Hub
Exam Tips¶
- Security Lake stores security data.
- Security Lake normalizes security data.
- Security Lake does not replace Security Hub.
Amazon Macie¶
Purpose¶
Discovers, classifies, and protects sensitive data stored in Amazon S3.
Detects¶
- Personally Identifiable Information (PII)
- Financial records
- Credentials
- Sensitive business data
Common Exam Triggers¶
- Sensitive data discovery
- PII detection
- Data classification
- S3 security assessment
Correct Service¶
Amazon Macie
Amazon Detective¶
Purpose¶
Investigates and analyzes security findings.
Use Cases¶
- Investigate GuardDuty findings
- Analyze user behavior
- Explore relationships between AWS resources
- Accelerate incident investigations
Exam Tips¶
- Detective investigates.
- GuardDuty detects.
- Security Hub aggregates.
Common Exam Scenarios¶
Scenario 1¶
A company wants to detect compromised credentials and unusual API activity.
Best Service¶
Amazon GuardDuty
Scenario 2¶
A security team wants a single dashboard showing findings from multiple AWS accounts.
Best Service¶
AWS Security Hub
Scenario 3¶
A company wants centralized storage for security logs and findings.
Best Service¶
Amazon Security Lake
Scenario 4¶
A company needs to identify PII stored in Amazon S3.
Best Service¶
Amazon Macie
Common Exam Traps¶
| Requirement | Correct Service |
|---|---|
| Threat Detection | GuardDuty |
| Findings Aggregation | Security Hub |
| Security Data Lake | Security Lake |
| Sensitive Data Discovery | Macie |
| Investigation | Detective |
| Metrics and Dashboards | CloudWatch |
| Event Automation | EventBridge |
5-Second Recall¶
- CloudWatch → Metrics and Alarms
- GuardDuty → Threat Detection
- Security Hub → Findings Aggregation
- Security Lake → Security Data Storage
- Macie → Sensitive Data Discovery
- Detective → Investigation
- EventBridge → Automation
Key Takeaways¶
- CloudWatch monitors.
- GuardDuty detects.
- Security Hub aggregates.
- Security Lake stores.
- Macie classifies.
- Detective investigates.
Understanding the differences between these services is critical for success in the AWS Certified Security Specialty (SCS-C03) exam.