Skip to content

Monitoring and Alerting

Overview

Monitoring and alerting are foundational security capabilities in AWS. Organizations must continuously monitor workloads, identities, network activity, API calls, and data access patterns to identify threats, operational issues, and compliance violations.

For the AWS Certified Security Specialty (SCS-C03) exam, monitoring and alerting questions often focus on selecting the correct AWS service to detect, aggregate, investigate, notify, or automate responses to security events.


Exam Objectives

You should be able to:

  • Design monitoring solutions for AWS workloads
  • Implement security-focused alerting strategies
  • Aggregate findings across AWS accounts
  • Detect anomalous behavior
  • Build centralized monitoring architectures
  • Automate alerts and responses

Core AWS Services

Service Primary Purpose
Amazon CloudWatch Metrics, alarms, dashboards, logs
Amazon GuardDuty Threat detection
AWS Security Hub Centralized security findings
Amazon Security Lake Centralized security data
Amazon Macie Sensitive data discovery
Amazon Detective Investigation and analysis
AWS Config Configuration monitoring
Amazon EventBridge Event routing and automation

Typical Monitoring Architecture

flowchart LR

A[Workloads] --> B[CloudTrail]
A --> C[CloudWatch]
A --> D[VPC Flow Logs]

B --> E[GuardDuty]
C --> E
D --> E

E --> F[Security Hub]

F --> G[EventBridge]

G --> H[SNS]
G --> I[Lambda]
G --> J[Systems Manager]

Amazon CloudWatch

Purpose

Provides operational visibility through metrics, alarms, dashboards, logs, anomaly detection, and monitoring.

Security Use Cases

  • Monitor root account usage
  • Detect failed login attempts
  • Track unusual API activity
  • Alert on infrastructure anomalies
  • Generate dashboards for security operations

Key Features

  • Metrics
  • Alarms
  • Composite Alarms
  • Dashboards
  • Metric Filters
  • CloudWatch Logs
  • CloudWatch Logs Insights
  • Anomaly Detection

Exam Tips

  • CloudWatch stores metrics.
  • CloudWatch Logs stores log events.
  • Metric Filters can convert log events into metrics.
  • Composite Alarms help reduce alert fatigue.

Amazon GuardDuty

Purpose

Threat detection service that continuously analyzes AWS data sources for malicious activity and suspicious behavior.

Data Sources

  • AWS CloudTrail Management Events
  • AWS CloudTrail Data Events
  • VPC Flow Logs
  • Route 53 DNS Logs
  • EKS Audit Logs
  • Malware Protection

Example Findings

  • Credential compromise
  • Cryptocurrency mining
  • Port scanning
  • Malware activity
  • Suspicious API calls

Exam Tips

  • GuardDuty detects threats.
  • GuardDuty does not block threats.
  • GuardDuty findings can be forwarded to Security Hub.

AWS Security Hub

Purpose

Provides a centralized view of security posture and findings across AWS accounts.

Features

  • Security standards
  • Compliance checks
  • Cross-account aggregation
  • Cross-region aggregation
  • Centralized findings

Integrations

  • GuardDuty
  • Macie
  • Inspector
  • IAM Access Analyzer
  • AWS Config

Exam Tips

  • Security Hub aggregates findings.
  • Security Hub is not a log analytics platform.
  • Security Hub is often described as a "single pane of glass."

Amazon Security Lake

Purpose

Centralized security data lake built on Amazon S3.

Benefits

  • OCSF normalization
  • Centralized storage
  • Multi-account visibility
  • Long-term retention
  • Security analytics integration

Integrations

  • CloudTrail
  • VPC Flow Logs
  • Route 53 Resolver Logs
  • GuardDuty
  • Security Hub

Exam Tips

  • Security Lake stores security data.
  • Security Lake normalizes security data.
  • Security Lake does not replace Security Hub.

Amazon Macie

Purpose

Discovers, classifies, and protects sensitive data stored in Amazon S3.

Detects

  • Personally Identifiable Information (PII)
  • Financial records
  • Credentials
  • Sensitive business data

Common Exam Triggers

  • Sensitive data discovery
  • PII detection
  • Data classification
  • S3 security assessment

Correct Service

Amazon Macie


Amazon Detective

Purpose

Investigates and analyzes security findings.

Use Cases

  • Investigate GuardDuty findings
  • Analyze user behavior
  • Explore relationships between AWS resources
  • Accelerate incident investigations

Exam Tips

  • Detective investigates.
  • GuardDuty detects.
  • Security Hub aggregates.

Common Exam Scenarios

Scenario 1

A company wants to detect compromised credentials and unusual API activity.

Best Service

Amazon GuardDuty


Scenario 2

A security team wants a single dashboard showing findings from multiple AWS accounts.

Best Service

AWS Security Hub


Scenario 3

A company wants centralized storage for security logs and findings.

Best Service

Amazon Security Lake


Scenario 4

A company needs to identify PII stored in Amazon S3.

Best Service

Amazon Macie


Common Exam Traps

Requirement Correct Service
Threat Detection GuardDuty
Findings Aggregation Security Hub
Security Data Lake Security Lake
Sensitive Data Discovery Macie
Investigation Detective
Metrics and Dashboards CloudWatch
Event Automation EventBridge

5-Second Recall

  • CloudWatch → Metrics and Alarms
  • GuardDuty → Threat Detection
  • Security Hub → Findings Aggregation
  • Security Lake → Security Data Storage
  • Macie → Sensitive Data Discovery
  • Detective → Investigation
  • EventBridge → Automation

Key Takeaways

  • CloudWatch monitors.
  • GuardDuty detects.
  • Security Hub aggregates.
  • Security Lake stores.
  • Macie classifies.
  • Detective investigates.

Understanding the differences between these services is critical for success in the AWS Certified Security Specialty (SCS-C03) exam.