Detection and Monitoring in AWS

AWS Certified Security Specialty Exam Notes and Practice Tests Detection and Monitoring in AWS

This section focuses on the following exam objectives:

Domain 1: Detection
Task Statement 1.1: Design and implement monitoring and alerting solutions for an AWS account or organization

1. Understanding Detection and Monitoring in AWS

Detection in AWS involves continuously observing workloads, identifying anomalies, and triggering automated responses before issues escalate into security incidents.

Unlike traditional environments, AWS systems are:

API-driven
Highly dynamic (ephemeral)
Distributed across multiple services and accounts

Because of this, monitoring must be:

Centralized
Automated
Intelligent

Exam Focus

In scenario-based questions, you will be expected to:

Select the appropriate monitoring service
Design scalable detection architectures
Prefer automation over manual processes

AWS Best Practices for Detection and Monitoring

Best Practice	Description	AWS Services
Workload Analysis	Identify monitoring needs based on workload type	CloudWatch, CloudTrail
Centralized Logging	Aggregate logs across accounts	CloudWatch Logs, S3, Security Lake
Threat Detection	Use managed detection services	GuardDuty, Macie, Inspector
Alerting	Configure real-time alerts	CloudWatch Alarms, SNS
Automation	Trigger remediation workflows	EventBridge, Lambda
Compliance Monitoring	Enforce compliance checks	AWS Config, Conformance Packs
Visualization	Monitor trends and anomalies	CloudWatch Dashboards

2. Analyzing Workloads for Monitoring Requirements

Monitoring begins with understanding workload behavior and associated risks.

Workload-Based Monitoring

Workload Type	Monitoring Focus	AWS Services
EC2 / Compute	CPU, memory, system logs	CloudWatch, GuardDuty
S3 / Storage	Access patterns, data exposure	Macie, CloudTrail
IAM / Identity	Login attempts, API activity	CloudTrail, GuardDuty
Networking	Traffic anomalies	VPC Flow Logs

Exam Tip

Always apply this mapping:

Workload → Risk → Monitoring Service

3. Designing Monitoring Strategies

An effective monitoring strategy combines multiple components:

Component	Description	AWS Service
Metrics	Performance indicators	CloudWatch Metrics
Logs	Detailed activity records	CloudWatch Logs
Health Checks	Resource availability	Route 53 Health Checks
Tracing	Request-level visibility	AWS X-Ray

Example Strategy

EC2 → CloudWatch metrics + GuardDuty
APIs → AWS X-Ray tracing
DNS → Route 53 health checks

Exam Tip

Use multi-layer monitoring instead of relying on a single service.

4. Aggregating Security and Monitoring Events

Centralized aggregation provides unified visibility across accounts.

Aggregation Services

Service	Purpose
AWS Security Hub	Centralized findings (ASFF format)
Amazon Security Lake	Centralized security data repository
CloudWatch Logs	Log aggregation
AWS Organizations	Multi-account governance

Best Practices

Use Security Hub for findings aggregation
Use Security Lake for analytics and long-term storage

Exam Tip

If a question mentions multi-account environments, the answer typically involves centralization.

5. Metrics, Alerts, and Dashboards

Effective detection requires visibility, alerting, and response.

Monitoring Stack

Component	Purpose	AWS Service
Metrics	Collect data	CloudWatch
Alarms	Trigger alerts	CloudWatch Alarms
Dashboards	Visualize trends	CloudWatch Dashboards
Notifications	Alert teams	SNS

Security Detection Services

Service	Function
GuardDuty	ML-based threat detection
Security Hub	Aggregates findings
Macie	Sensitive data detection
Inspector	Vulnerability scanning

Example Detection Flow

GuardDuty → Security Hub → EventBridge → Lambda/SNS

Exam Tip

Correct answers typically emphasize:

Automation
Event-driven workflows
Managed services

6. Automating Assessments and Remediation

Automation ensures continuous compliance and rapid response.

Automation Services

Service	Function
AWS Config	Track configuration changes
Conformance Packs	Predefined compliance rules
Systems Manager State Manager	Enforce configurations
EventBridge	Event-driven triggers
Lambda	Automated remediation

Example Workflow

AWS Config detects non-compliance
EventBridge triggers Lambda
Lambda remediates the issue

Exam Tip

Automation is always preferred over manual intervention.

7. Key Detection Services in AWS

Service	Role
GuardDuty	Threat detection
Security Hub	Centralized findings
Macie	Sensitive data discovery
Inspector	Vulnerability detection
CloudTrail	API logging
AWS Config	Configuration tracking
Amazon Detective	Investigation and root cause analysis

8. End-to-End Detection Pipeline

This is a common exam scenario pattern:

Flow

GuardDuty detects anomaly
Finding sent to Security Hub
EventBridge triggers Lambda
Lambda remediates the issue
SNS sends notification

EventBridge Rule Example

{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"]
}

9. Key Exam Tips

Tip 1: Workload-Based Monitoring

Always identify:

Resource
Risk
Monitoring service

Tip 2: Centralization

Security Hub → findings
Security Lake → logs and data

Tip 3: Automation

Look for:

EventBridge
Lambda
AWS Config

Tip 4: Alerting

CloudWatch Alarms + SNS
Avoid manual monitoring

Tip 5: Threat Detection Mapping

GuardDuty → threats
Macie → sensitive data
Inspector → vulnerabilities

Tip 6: Multi-Account Architecture

Use AWS Organizations
Centralize logs and findings

Tip 7: Investigation

Use Amazon Detective

Final Thoughts

Designing monitoring and alerting solutions in AWS requires:

Understanding workload-specific risks
Selecting appropriate detection services
Centralizing visibility across accounts
Automating detection and response workflows

Exam Focus Areas

GuardDuty, Security Hub, Security Lake
Event-driven automation (EventBridge + Lambda)
AWS Config and compliance automation
Multi-account monitoring architectures

Back to Course

Next Lesson