L9. Monitoring and Compliance: CloudTrail, Config, GuardDuty, and Macie
Video generating
Check back soon for the video lesson on Monitoring and Compliance: CloudTrail, Config, GuardDuty, and Macie
AWS security monitoring services form a layered detection and compliance system. The Cloud Practitioner exam tests CloudTrail, Config, GuardDuty, Amazon Inspector, Macie, and Security Hub.
AWS CloudTrail
CloudTrail records all API calls made in your AWS account, capturing who did what, when, and from where. What it logs: management events (creating/deleting resources), data events (S3 object access, Lambda invocations), and Insights events (unusual API activity). Use cases: security auditing, compliance, troubleshooting operational issues, detecting unauthorized access. Key facts: CloudTrail is enabled by default for 90 days of management event history. For longer retention, create a Trail to send logs to S3.
AWS Config
AWS Config continuously monitors and records AWS resource configurations and evaluates them against desired rules. What it does:
- Records a history of configuration changes for each resource
- Evaluates resources against Config rules (managed or custom)
- Generates compliance reports
Amazon GuardDuty
GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to detect malicious activity. Threat types detected: cryptocurrency mining on EC2, compromised instances, unauthorized access patterns, malicious IP communication, port scanning. Key fact: GuardDuty uses machine learning and threat intelligence feeds. No software to install; enable it in the console with one click.
Amazon Macie
Macie uses machine learning to discover, classify, and protect sensitive data stored in Amazon S3. Detects: PII (names, SSNs, credit card numbers), financial data, health records, and other sensitive content. Use case: automatically find S3 buckets containing sensitive data that may be at risk.
Amazon Inspector
Inspector automatically scans EC2 instances and container images for software vulnerabilities and unintended network exposure. What it analyzes: CVEs in installed software packages, network reachability issues, and compliance with security benchmarks.
AWS Security Hub
Security Hub aggregates security findings from GuardDuty, Macie, Inspector, and third-party tools into a single dashboard with a compliance score.
| Service | What It Does |
|---|---|
| CloudTrail | Records API calls (who did what) |
| AWS Config | Records resource configuration changes |
| GuardDuty | Detects threats in logs and network traffic |
| Macie | Finds sensitive data in S3 |
| Inspector | Scans for vulnerabilities in EC2 and containers |
| Security Hub | Aggregates findings into one dashboard |
- ✓CloudTrail records all API calls in your account: who did what, when, and from where
- ✓AWS Config records resource configuration changes and evaluates compliance against rules
- ✓GuardDuty detects threats by analyzing VPC Flow Logs, DNS logs, and CloudTrail with ML
- ✓Amazon Macie discovers and classifies sensitive data (PII, financial) in S3 using machine learning
- ✓Amazon Inspector scans EC2 and container images for vulnerabilities; Security Hub aggregates all findings
1. A security team wants to know which IAM user deleted an S3 bucket at 2:00 AM. Which service provides this information?
2. A company stores customer data in hundreds of S3 buckets and needs to automatically identify which buckets contain personally identifiable information (PII). Which service is designed for this?
Recommended: Pluralsight
Complement these lessons with Pluralsight: structured CLF-C02 learning paths, AWS hands-on labs, and realistic practice questions for exam day.