Detecting Security Threats and Anomalies in AWS
This section covers the following exam objective:
Domain 2: Incident Response
Task 2.1: Design and test an incident response plan
1. Understanding Threat Detection in AWS
Threat detection in AWS relies on managed services that continuously monitor activity, configurations, and data to identify suspicious behavior, vulnerabilities, and compliance risks.
These services eliminate the need to build detection systems from scratch and provide seamless integration across accounts.
What to Expect in Exam Scenarios
You should be able to:
- Identify the correct AWS service for a detection use case
- Recognize anomaly detection patterns
- Design integrated detection workflows
2. AWS Managed Services for Threat Detection
AWS provides specialized services that focus on different aspects of security detection.
| Service | Primary Use Case | Key Characteristics |
|---|---|---|
| Amazon GuardDuty | Threat detection (IAM, EC2, S3, DNS, EKS) | ML-based anomaly detection, integrates with Security Hub |
| Amazon Macie | Sensitive data discovery in S3 | Detects PII/PHI, supports compliance |
| Amazon Inspector | Vulnerability scanning | Continuous assessments for EC2, ECR, Lambda |
| AWS Config | Configuration monitoring | Detects drift and policy violations |
| IAM Access Analyzer | Access analysis | Identifies unintended external access |
Exam Insight
GuardDuty is the primary threat detection service and frequently appears in exam scenarios.
3. Anomaly Detection and Correlation
Effective threat detection requires more than identifying isolated events—it involves correlating multiple signals to uncover broader attack patterns.
Key Techniques
| Technique | Description | AWS Service |
|---|---|---|
| Anomaly Detection | Identify deviations from baseline behavior | CloudWatch Anomaly Detection, GuardDuty |
| Correlation | Link findings across services | Amazon Detective, Security Hub |
| Validation | Query and confirm suspicious events | Amazon Athena, CloudTrail Lake |
Exam Tip
- Detective is used for correlation and root cause analysis
- Athena / CloudTrail Lake are used for validation
4. Visualization for Anomaly Detection
Visualization tools help identify patterns and anomalies that may not be obvious in raw logs.
| Visualization Tool | Purpose |
|---|---|
| CloudWatch Dashboards | Visualize metrics and alarms |
| Security Hub Insights | Aggregate findings across accounts |
| Amazon QuickSight | Custom dashboards from Athena queries |
Exam Tip
- CloudWatch → Metrics visualization
- Security Hub → Findings aggregation
5. Centralizing Security Findings
Centralization provides a unified view of security posture across accounts.
- AWS Security Hub aggregates findings using ASFF
- Integrates with GuardDuty, Macie, Inspector, Config
- Supports third-party SIEM integrations
- Uses EventBridge for automated responses
Exam Insight
For multi-account environments, the correct approach is:
Security Hub + ASFF + EventBridge automation
6. Evaluating and Searching Findings
After detection, findings must be analyzed for severity, accuracy, and context.
Evaluating Findings
- GuardDuty → Detects malicious API activity and threats
- Macie → Identifies sensitive data exposure
- Inspector → Detects vulnerabilities
- Config → Identifies compliance violations
Searching and Correlating
- Use Amazon Detective for cross-service correlation
- Use Athena or CloudTrail Lake to validate events
Exam Tip
Always connect:
- Detection → GuardDuty / Inspector / Macie
- Correlation → Detective
- Validation → Athena / CloudTrail Lake
7. Metric Filters and Dashboards
CloudWatch metric filters transform log patterns into measurable metrics, enabling detection of anomalies such as repeated login failures.
Key Concept
- Metric filters → Convert logs into metrics
- Dashboards → Visualize anomalies
Example: Detect Failed Console Logins
{
"filterPattern": "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }",
"metricName": "FailedConsoleLogins",
"metricNamespace": "Security"
}
Exam Tip
CloudWatch metric filters are often the first layer of anomaly detection before advanced services are used.
8. Querying Security Events with Athena
Amazon Athena allows SQL-based analysis of logs stored in S3, making it ideal for validating suspicious activity at scale.
Example Query (Python SDK)
import boto3athena = boto3.client("athena")response = athena.start_query_execution(
QueryString="""
SELECT *
FROM cloudtrail_logs
WHERE eventName='ConsoleLogin'
AND errorMessage='Failed authentication';
""",
QueryExecutionContext={"Database": "securitylogs"},
ResultConfiguration={"OutputLocation": "s3://my-athena-results/"}
)
This query identifies failed login attempts, which can indicate brute-force attacks.
Exam Tip
Use Athena when:
- Analyzing large datasets
- Validating CloudTrail events
- Performing historical investigations
9. Key Exam Tips
Tip 1: GuardDuty
Primary service for real-time threat detection:
- Credential compromise
- Crypto mining
- Suspicious API activity
Tip 2: Amazon Detective
Used for:
- Correlation across services
- Root cause analysis
Tip 3: Security Hub
- Centralizes findings across accounts
- Uses ASFF format
Tip 4: CloudWatch
- Detects anomalies in logs and metrics
- Use metric filters for patterns
Tip 5: Athena / CloudTrail Lake
- Validate suspicious events
- Perform deep log analysis
Tip 6: Service Mapping
| Service | Focus Area |
|---|---|
| Macie | Sensitive data |
| Inspector | Vulnerabilities |
| Config | Misconfigurations |
| IAM Access Analyzer | Access exposure |
Tip 7: Always Prefer AWS-Native and Automated Solutions
Avoid manual approaches—automation and managed services are key.
Final Thoughts
Detecting security threats and anomalies in AWS requires a multi-layered approach that combines:
- Managed detection services
- Anomaly detection techniques
- Correlation and investigation tools
- Visualization and validation methods
Key Pattern to Remember
Detection → Centralization → Correlation → Validation
- Detection → GuardDuty, Inspector, Macie
- Centralization → Security Hub
- Correlation → Amazon Detective
- Validation → Athena, CloudWatch
Mastering this flow will help you confidently solve exam scenarios and design real-world AWS security solutions.
