Cyber Intelligence
Security and Compliance · 30% of exam

L9. Monitoring and Compliance: CloudTrail, Config, GuardDuty, and Macie

Video generating

Check back soon for the video lesson on Monitoring and Compliance: CloudTrail, Config, GuardDuty, and Macie

AWS security monitoring services form a layered detection and compliance system. The Cloud Practitioner exam tests CloudTrail, Config, GuardDuty, Amazon Inspector, Macie, and Security Hub.

AWS CloudTrail

CloudTrail records all API calls made in your AWS account, capturing who did what, when, and from where. What it logs: management events (creating/deleting resources), data events (S3 object access, Lambda invocations), and Insights events (unusual API activity). Use cases: security auditing, compliance, troubleshooting operational issues, detecting unauthorized access. Key facts: CloudTrail is enabled by default for 90 days of management event history. For longer retention, create a Trail to send logs to S3.

AWS Config

AWS Config continuously monitors and records AWS resource configurations and evaluates them against desired rules. What it does:

  • Records a history of configuration changes for each resource
  • Evaluates resources against Config rules (managed or custom)
  • Generates compliance reports
Difference from CloudTrail: CloudTrail = WHO did WHAT (API actions). Config = WHAT changed in a resource's configuration over time.

Amazon GuardDuty

GuardDuty is a threat detection service that analyzes VPC Flow Logs, DNS logs, and CloudTrail events to detect malicious activity. Threat types detected: cryptocurrency mining on EC2, compromised instances, unauthorized access patterns, malicious IP communication, port scanning. Key fact: GuardDuty uses machine learning and threat intelligence feeds. No software to install; enable it in the console with one click.

Amazon Macie

Macie uses machine learning to discover, classify, and protect sensitive data stored in Amazon S3. Detects: PII (names, SSNs, credit card numbers), financial data, health records, and other sensitive content. Use case: automatically find S3 buckets containing sensitive data that may be at risk.

Amazon Inspector

Inspector automatically scans EC2 instances and container images for software vulnerabilities and unintended network exposure. What it analyzes: CVEs in installed software packages, network reachability issues, and compliance with security benchmarks.

AWS Security Hub

Security Hub aggregates security findings from GuardDuty, Macie, Inspector, and third-party tools into a single dashboard with a compliance score.

ServiceWhat It Does
CloudTrailRecords API calls (who did what)
AWS ConfigRecords resource configuration changes
GuardDutyDetects threats in logs and network traffic
MacieFinds sensitive data in S3
InspectorScans for vulnerabilities in EC2 and containers
Security HubAggregates findings into one dashboard
Exam tip: GuardDuty = threat detection. CloudTrail = audit log. Config = compliance and configuration history. Macie = sensitive data discovery in S3.

Exam Focus Points
  • CloudTrail records all API calls in your account: who did what, when, and from where
  • AWS Config records resource configuration changes and evaluates compliance against rules
  • GuardDuty detects threats by analyzing VPC Flow Logs, DNS logs, and CloudTrail with ML
  • Amazon Macie discovers and classifies sensitive data (PII, financial) in S3 using machine learning
  • Amazon Inspector scans EC2 and container images for vulnerabilities; Security Hub aggregates all findings
Knowledge Check

1. A security team wants to know which IAM user deleted an S3 bucket at 2:00 AM. Which service provides this information?

2. A company stores customer data in hundreds of S3 buckets and needs to automatically identify which buckets contain personally identifiable information (PII). Which service is designed for this?

Recommended: Pluralsight

Complement these lessons with Pluralsight: structured CLF-C02 learning paths, AWS hands-on labs, and realistic practice questions for exam day.

Start CLF-C02 prep free10-day free trial available