The Security Services Toolbox
GuardDuty, WAF, Shield, Inspector, Macie, KMS, and friends — what each security service does and when to pick it.
Domain 2 loves "which service?" questions. You don't need to configure any of these — just be able to match each service to its one-line job. Group them by purpose and they're easy to remember.
Threat detection & monitoring
Intelligent threat detection: continuously analyzes CloudTrail, VPC Flow Logs, and DNS logs with ML to spot malicious activity (crypto-mining, credential compromise).
Vulnerability scanning of EC2 instances, container images, and Lambda functions for software flaws (CVEs) and unintended network exposure.
Investigates findings: builds a graph of your activity to find the root cause of a security issue that GuardDuty flagged.
Single pane of glass aggregating findings from GuardDuty, Inspector, Macie, and partners, plus automated best-practice checks.
Network & application protection
Web application firewall: blocks common web exploits — SQL injection, cross-site scripting — on CloudFront, ALB, or API Gateway.
DDoS protection. Shield Standard is free and automatic; Shield Advanced adds enhanced protection, cost protection, and a response team.
Centrally manages WAF, Shield Advanced, and security group rules across many accounts.
Managed stateful firewall for entire VPCs.
Data protection & encryption
Creates and manages encryption keys; integrates with most services for encryption at rest.
Dedicated hardware security modules when compliance demands single-tenant key storage you fully control.
Uses ML to discover sensitive data (PII) in S3 and alert on exposure — think 'Macie finds PII'.
Provisions and renews free SSL/TLS certificates for encryption in transit.
Stores and automatically rotates database passwords, API keys, and other secrets.
Rapid-fire associations: DDoS → Shield. SQL injection/XSS → WAF. Threat detection from logs → GuardDuty. CVE/vulnerability scans → Inspector. PII in S3 → Macie. Rotate DB passwords → Secrets Manager. Encryption keys → KMS. TLS certificates → ACM. Aggregate findings → Security Hub.
Also remember encryption in transit vs at rest: in transit uses TLS/SSL (certificates from ACM); at rest uses KMS-managed keys. Most AWS services encrypt at rest with a checkbox — but *choosing* to enable it is the customer's responsibility.
Which service provides intelligent threat detection by continuously analyzing CloudTrail events, VPC Flow Logs, and DNS logs?