The Security Services Toolbox

GuardDuty, WAF, Shield, Inspector, Macie, KMS, and friends — what each security service does and when to pick it.

11 min read

Domain 2 loves "which service?" questions. You don't need to configure any of these — just be able to match each service to its one-line job. Group them by purpose and they're easy to remember.

Threat detection & monitoring

Amazon GuardDuty

Intelligent threat detection: continuously analyzes CloudTrail, VPC Flow Logs, and DNS logs with ML to spot malicious activity (crypto-mining, credential compromise).

Amazon Inspector

Vulnerability scanning of EC2 instances, container images, and Lambda functions for software flaws (CVEs) and unintended network exposure.

Amazon Detective

Investigates findings: builds a graph of your activity to find the root cause of a security issue that GuardDuty flagged.

AWS Security Hub

Single pane of glass aggregating findings from GuardDuty, Inspector, Macie, and partners, plus automated best-practice checks.

Network & application protection

AWS WAF

Web application firewall: blocks common web exploits — SQL injection, cross-site scripting — on CloudFront, ALB, or API Gateway.

AWS Shield

DDoS protection. Shield Standard is free and automatic; Shield Advanced adds enhanced protection, cost protection, and a response team.

AWS Firewall Manager

Centrally manages WAF, Shield Advanced, and security group rules across many accounts.

AWS Network Firewall

Managed stateful firewall for entire VPCs.

Data protection & encryption

AWS Key Management Service (KMS)

Creates and manages encryption keys; integrates with most services for encryption at rest.

AWS CloudHSM

Dedicated hardware security modules when compliance demands single-tenant key storage you fully control.

Amazon Macie

Uses ML to discover sensitive data (PII) in S3 and alert on exposure — think 'Macie finds PII'.

AWS Certificate Manager (ACM)

Provisions and renews free SSL/TLS certificates for encryption in transit.

AWS Secrets Manager

Stores and automatically rotates database passwords, API keys, and other secrets.

Exam tip

Rapid-fire associations: DDoS → Shield. SQL injection/XSS → WAF. Threat detection from logs → GuardDuty. CVE/vulnerability scans → Inspector. PII in S3 → Macie. Rotate DB passwords → Secrets Manager. Encryption keys → KMS. TLS certificates → ACM. Aggregate findings → Security Hub.

Also remember encryption in transit vs at rest: in transit uses TLS/SSL (certificates from ACM); at rest uses KMS-managed keys. Most AWS services encrypt at rest with a checkbox — but *choosing* to enable it is the customer's responsibility.

Knowledge check
Question 1 of 5

Which service provides intelligent threat detection by continuously analyzing CloudTrail events, VPC Flow Logs, and DNS logs?