Detecting Security Threats and Anomalies

This section addresses the following exam objectives:

Domain 1: Incident Response
Task Statement 1.2: Detect security threats and anomalies using AWS services

1. Understanding Threat Detection in AWS

Threat detection in AWS is built around managed, continuously running security services that monitor activity, configurations, and data access patterns to identify malicious behavior, vulnerabilities, and compliance risks. These services eliminate the need to build and maintain custom detection pipelines while providing deep integration across AWS accounts and Regions.

From an exam perspective, your primary challenge is recognizing which AWS service is best suited for a specific detection scenario—whether that involves anomalous API activity, exposed sensitive data, configuration drift, or software vulnerabilities.

2. AWS Managed Security Services for Threat Detection

AWS provides a comprehensive set of purpose-built security services, each targeting a distinct aspect of threat detection. Understanding the scope and strengths of each service is critical for answering exam questions correctly.

Amazon GuardDuty focuses on identifying threats such as compromised credentials, suspicious EC2 behavior, anomalous API calls, and EKS runtime threats using machine learning and threat intelligence feeds.

Amazon Macie specializes in discovering and protecting sensitive data stored in Amazon S3, particularly personally identifiable information (PII) and regulated data.

Amazon Inspector continuously scans EC2 instances, container images in ECR, and Lambda functions for known vulnerabilities and insecure configurations.

AWS Config detects configuration drift and policy violations by evaluating resource configurations against rules and conformance packs.

IAM Access Analyzer identifies unintended public or cross-account access by analyzing resource-based and IAM policies.

These services form the foundation of AWS-native detection. GuardDuty appears frequently on the exam because it integrates closely with Security Hub and Detective for centralized analysis and investigation.

3. Anomaly Detection and Correlation Techniques

Effective threat detection goes beyond identifying isolated events—it requires recognizing anomalies and correlating multiple findings to uncover broader attack patterns. AWS uses machine learning models and log analysis to detect unusual behavior, while correlation services help connect related events across accounts and services.

Anomaly detection compares current activity against historical baselines to identify deviations, commonly using GuardDuty or CloudWatch Anomaly Detection.

Correlation links findings across services to identify root causes and attack paths. Amazon Detective is purpose-built for this role, leveraging Security Hub findings formatted in ASFF.

Search and validation involve querying logs directly to confirm suspicious activity. Amazon Athena and CloudTrail Lake are commonly used to validate anomalies at scale.

For exam scenarios, remember: Detective correlates, Athena validates.

4. Using Visualizations to Identify Anomalies

Visual representations help security teams detect trends and deviations that may be difficult to spot in raw logs. AWS provides both native visualization tools and integrations for advanced analytics.

CloudWatch dashboards visualize metrics, alarms, and log-derived metrics in near real time.

Security Hub Insights aggregate and summarize findings across accounts and Regions, highlighting recurring or high-severity issues.

Amazon QuickSight enables custom dashboards by visualizing Athena query results for deeper analysis.

In exam questions, CloudWatch is typically used for metric-based visualization, while Security Hub focuses on aggregated security findings.

5. Centralizing Security Findings

Centralization is essential for maintaining a consistent security posture across multi-account AWS environments. AWS Security Hub, using the AWS Security Finding Format (ASFF), aggregates findings from GuardDuty, Macie, Inspector, Config, IAM Access Analyzer, and supported third-party tools.

Security Hub integrates with Amazon EventBridge to trigger automated responses and works seamlessly with AWS Organizations for centralized governance.

For exam questions involving multi-account visibility or centralized monitoring, the correct answer almost always includes Security Hub + ASFF + EventBridge.

6. Evaluating and Searching Security Findings

Once findings are collected, they must be evaluated for severity, context, and accuracy. Different AWS services generate different types of findings, each requiring appropriate follow-up actions.

GuardDuty findings typically indicate malicious behavior such as credential misuse or cryptomining.
Macie findings highlight sensitive data exposure in S3.
Inspector findings identify software vulnerabilities.
Config findings indicate non-compliant resource configurations.

For deeper analysis, Amazon Detective correlates findings across services, while Athena and CloudTrail Lake are used to validate events by querying logs directly.

On the exam, always connect detection → correlation → validation.

7. Metric Filters and Dashboards

CloudWatch metric filters convert specific log patterns into numerical metrics that can be tracked over time. These metrics can then be visualized and alarmed on using CloudWatch dashboards.

Metric filters are commonly used to detect anomalies such as repeated failed login attempts or spikes in API errors. They often serve as the first layer of anomaly detection before security-specific services are engaged.

For exam scenarios involving log-based detection, CloudWatch metric filters are a strong indicator of the correct solution.

8. Hands-On Example: Querying Security Events with Athena

Amazon Athena enables SQL-based analysis of CloudTrail logs and other security data stored in Amazon S3. This makes it ideal for validating whether suspicious activity represents a real threat.

Athena is frequently the correct exam answer when large-scale log analysis, historical investigation, or event validation is required—especially when CloudTrail data is involved.

9. Key Exam Tips

Threat detection questions are almost always service-mapping exercises. Focus on selecting the AWS-native service designed for the specific detection task.

GuardDuty is the primary service for real-time threat and anomaly detection.
Detective is used for correlation and investigation across findings.
Security Hub centralizes findings using ASFF, especially in multi-account setups.
CloudWatch handles metric- and log-based anomaly detection.
Athena and CloudTrail Lake validate events through log analysis.
Macie detects sensitive data exposure.
Inspector identifies vulnerabilities.
Config detects misconfigurations.
IAM Access Analyzer finds unintended access.

Avoid answers that rely on manual analysis or custom-built systems—automation and managed services are almost always preferred.

Final Thoughts

Detecting security threats and anomalies in AWS requires a layered, integrated approach that combines managed detection services, anomaly identification, correlation, and validation. For the exam, focus on understanding the unique role of each service and how findings flow through a typical detection pipeline:

Detection → Centralization → Correlation → Validation → Visualization

Mastering these patterns will prepare you not only for exam success, but also for designing effective, real-world AWS security monitoring solutions.