Cargando...
Cargando...
Stop guessing which security service to use — the definitive comparison for every AWS certification
Each answers a different security question: WHO is attacking? WHAT is vulnerable? WHERE is my sensitive data? HOW am I doing overall?
| Feature | GuardDuty Threat detection via behavioral analytics | Inspector Vulnerability scanning for workloads | Macie Sensitive data discovery in S3 | Security Hub Centralized security posture aggregator |
|---|---|---|---|---|
Core Question Answered Memorize these one-liners — exam scenarios are written around these exact distinctions | Is something actively attacking or compromised right now? | What known vulnerabilities exist in my workloads? | Where is sensitive/PII data stored in S3 and is it exposed? | What is my overall security posture across all services? |
Security Paradigm SCS-C02 maps directly to these paradigms in its domain structure | Threat Detection & Incident Response (reactive to active threats) | Vulnerability Management (proactive, shift-left) | Data Security & Privacy (compliance-driven) | Security Posture Management (aggregation & normalization) |
What It Monitors / Analyzes GuardDuty does NOT scan EC2 for CVEs — that is Inspector's job. This is the #1 confusion on exams. | CloudTrail events, VPC Flow Logs, DNS logs, S3 data events, EKS audit logs, RDS login events, Lambda network activity, EBS malware scans, Runtime behavior | EC2 instances (OS packages, network reachability), ECR container images, Lambda function code & layers | S3 buckets and objects — bucket policies, ACLs, encryption status, object content for sensitive data patterns | Findings from GuardDuty, Inspector, Macie, Firewall Manager, IAM Access Analyzer, Systems Manager Patch Manager, and 3rd-party integrations |
Data Sources / Inputs Inspector requires SSM Agent on EC2 — if SSM is not running, Inspector cannot assess that instance | Automatically ingests: CloudTrail management & S3 data events, VPC Flow Logs, Route 53 DNS query logs, EKS audit/runtime logs, RDS login activity, Lambda network logs — NO agent required for most features | SSM Agent required on EC2, ECR integration for container images, Lambda function metadata — agent-based for EC2 | Direct S3 API access — no agent needed; uses managed and custom data identifiers | AWS Security Finding Format (ASFF) from integrated services and partner products |
Agentless vs Agent-Based If a question says 'no agents can be installed', eliminate Inspector for EC2 use cases but GuardDuty and Macie remain valid | Agentless for most features; GuardDuty Runtime Monitoring uses a lightweight agent for EC2/ECS/EKS runtime threat detection | Agentless for ECR and Lambda; Requires SSM Agent for EC2 vulnerability scanning | Fully agentless — uses S3 APIs directly | Fully agentless — aggregates findings via APIs |
Finding Types / Output Macie has TWO finding types: policy findings (bucket configuration issues) and sensitive data findings (actual content analysis) — questions test this distinction | Threat intelligence findings (e.g., UnauthorizedAccess, CryptoCurrency mining, Backdoor, Trojan, Recon, Exfiltration, PrivilegeEscalation) with severity 0.1–10 | CVE-based vulnerability findings with CVSS scores, network reachability findings, software bill of materials (SBOM) | Policy findings (e.g., bucket public, no encryption) and sensitive data findings (PII, credentials, financial data detected in objects) | Normalized findings in ASFF format with compliance status against standards (CIS, PCI DSS, NIST, AWS Foundational) |
Machine Learning / AI Usage | Heavy ML use — baselines normal behavior, anomaly detection, threat intelligence feeds from AWS, CrowdStrike, Proofpoint | Rule-based CVE matching against NVD and vendor advisories; no ML for core scanning | ML for sensitive data pattern recognition beyond regex; also uses managed data identifiers | No ML — aggregation and rules-based compliance checks |
Continuous vs On-Demand All four services support continuous monitoring — exam may try to trick you into thinking Inspector is only on-demand | Continuous, real-time monitoring — always on once enabled | Continuous for EC2/ECR/Lambda — reassesses automatically when new CVEs published or software changes detected | Automated discovery runs continuously; sensitive data jobs can be one-time or scheduled | Continuous — findings stream in real-time from integrated services |
Multi-Account / Org Support Security Hub is the BEST choice for centralized multi-account security visibility — it aggregates from all other services | Yes — delegated administrator account manages all member accounts in AWS Organizations; findings aggregated centrally | Yes — delegated administrator model via AWS Organizations; central finding aggregation | Yes — delegated administrator in Organizations; master account can run jobs across member S3 buckets | Yes — designed for this; aggregates findings from all accounts and all regions into a single pane; supports cross-region aggregation |
Compliance Standards Supported If a question asks about compliance dashboard or scoring — answer is Security Hub | Not a compliance framework tool — provides threat findings only | Maps findings to CIS Benchmarks, NIST SP 800-53, PCI DSS via Security Hub integration | Supports GDPR, HIPAA, PCI DSS data discovery requirements | CIS AWS Foundations Benchmark, PCI DSS, AWS Foundational Security Best Practices, NIST SP 800-53, ISO 27001 (via standards packs) |
Automated Remediation EventBridge is the universal glue for automated remediation across all four services — know this integration pattern cold | Via EventBridge rules → Lambda/SNS/Step Functions; e.g., auto-isolate EC2 on compromise finding | Via EventBridge → Systems Manager Patch Manager for auto-patching; or Lambda for custom actions | Via EventBridge → Lambda; e.g., auto-restrict public bucket access when sensitive data finding generated | Custom Actions → EventBridge → Lambda; Security Hub Automations (native rules) can auto-update finding status or trigger actions |
Integration with CloudTrail GuardDuty does NOT require you to manually enable CloudTrail — it accesses the data independently. But CloudTrail must be enabled in the account. | CRITICAL — GuardDuty analyzes CloudTrail management events and S3 data events as a primary data source for threat detection | Not a primary integration | Uses CloudTrail to detect S3 bucket policy changes and access pattern anomalies | Ingests CloudTrail-based findings from GuardDuty and other services |
Integration with S3 | Monitors S3 data events for suspicious access patterns (e.g., unusual geo, API anomalies) | Not applicable | PRIMARY — scans S3 bucket contents and metadata; this is Macie's core function | Receives Macie findings about S3; checks S3 security configurations via FSBP standard |
Integration with Systems Manager Inspector's dependency on SSM Agent is a critical exam fact — questions will test whether you know this prerequisite | Can trigger SSM Automation documents for remediation via EventBridge | REQUIRED — SSM Agent must be installed and running on EC2 for vulnerability scanning | No direct integration | Integrates with SSM Patch Manager findings and OpsCenter |
Free Trial All four offer 30-day trials — if asked which has a free trial, the answer is all of them | 30-day free trial per account per region (full feature access) | 30-day free trial per account | 30-day free trial for S3 bucket evaluation; sensitive data discovery has separate trial | 30-day free trial per account |
Pricing Model Pricing model differences rarely tested directly but understanding what drives cost helps with architecture questions | Based on: volume of CloudTrail events analyzed, VPC Flow Log data (GB), DNS query volume, S3 data events, EKS log volume, RDS/Lambda events — pay per data volume analyzed | Based on: number of EC2 instances scanned per month, number of container images scanned, number of Lambda functions scanned | Based on: number of S3 buckets evaluated (automated discovery), volume of data scanned for sensitive data (GB per month) | Based on: number of security checks per account per region per month, number of finding ingestion events per month |
Suppression / Filtering | Suppression rules to auto-archive known-safe findings; trusted IP lists and threat lists | Filter findings by severity, resource, CVE; suppress findings for accepted risks | Allow lists for known-safe data patterns; suppression rules for findings | Filters, suppression, and custom insights (saved queries); workflow status management (NEW/NOTIFIED/SUPPRESSED/RESOLVED) |
Exam Keyword Triggers Memorize these trigger words — exam question scenarios are designed to include exactly these keywords to guide you to the right service | Compromised instance, cryptocurrency mining, unusual API calls, exfiltration, port scanning, brute force, malware, runtime threat, DNS exfiltration, credential theft | CVE, vulnerability, patch, software flaw, network reachability, container image scanning, SBOM, OS vulnerability | PII, sensitive data, S3 bucket exposure, GDPR, HIPAA data discovery, credit card numbers, SSN, public bucket with sensitive data | Single pane of glass, compliance score, security posture, aggregated findings, ASFF, CIS benchmark, security standards |
Summary
GuardDuty detects active threats and anomalous behavior using ML against log data — it is your security camera. Inspector finds known vulnerabilities (CVEs) in your EC2, Lambda, and container workloads before attackers exploit them — it is your building inspector. Macie discovers and protects sensitive data in S3 — it is your data privacy officer. Security Hub aggregates, normalizes, and scores findings from all three (plus more) into a unified compliance and posture dashboard — it is your CISO's command center. Use all four together for a defense-in-depth strategy.
🎯 Decision Tree
IF question involves active threats / anomalous behavior / compromised resources / malware → GuardDuty | IF question involves CVEs / software vulnerabilities / patch management / container image scanning / network reachability → Inspector | IF question involves PII / sensitive data / S3 bucket exposure / GDPR/HIPAA data discovery → Macie | IF question involves compliance dashboards / security posture / aggregating findings / CIS benchmarks / single pane of glass → Security Hub | IF question involves automated response to findings → EventBridge + Lambda (works with ALL four) | IF question involves multi-account centralized security → Security Hub as aggregator + delegated admin for each service
GuardDuty = THREAT DETECTION (who is attacking NOW), Inspector = VULNERABILITY SCANNING (what CVEs exist), Macie = SENSITIVE DATA (where is PII in S3), Security Hub = AGGREGATION (overall posture). These are NOT interchangeable. A question about 'compromised EC2 making unusual API calls' = GuardDuty. A question about 'unpatched Log4j on EC2' = Inspector. A question about 'S3 bucket containing SSNs is public' = Macie. A question about 'compliance score across all accounts' = Security Hub.
Inspector v2 REQUIRES SSM Agent on EC2 instances. If an exam scenario says 'no agents can be installed' or 'agentless only', Inspector CANNOT scan EC2 instances in that scenario. However, Inspector CAN scan ECR container images and Lambda functions without an agent. GuardDuty and Macie are always agentless (except GuardDuty Runtime Monitoring which uses a lightweight agent optionally).
Security Hub does NOT generate its own threat findings — it AGGREGATES findings from other services (GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, etc.) and normalizes them into ASFF (AWS Security Finding Format). If a question asks how to get a 'single pane of glass' view of security across multiple accounts and services, the answer is Security Hub. If asked which service 'detects threats', it is GuardDuty, not Security Hub.
GuardDuty findings are retained for only 90 days in the console. For compliance requirements needing longer retention (e.g., PCI DSS requires 1 year), you MUST export findings to S3 via EventBridge. This is a common exam scenario: 'How do you retain GuardDuty findings for 1 year?' → Enable GuardDuty → EventBridge rule → Kinesis Data Firehose → S3 (with lifecycle to Glacier for cost optimization).
Macie has TWO distinct finding categories that exam questions exploit: (1) POLICY FINDINGS — bucket-level configuration issues like BucketPubliclyAccessible, BucketNotEncrypted, BucketSharedExternally — these are near real-time; (2) SENSITIVE DATA FINDINGS — actual content analysis finding SSNs, credit cards, API keys inside objects — these require a sensitive data discovery job or automated discovery to be enabled. Knowing which type applies to a scenario is critical.
For AI/ML service security questions (e.g., Bedrock): GuardDuty monitors API calls to Bedrock via CloudTrail integration, Macie can protect training data in S3, and Security Hub aggregates findings. Inspector does NOT monitor AI services — it scans EC2/containers/Lambda for CVEs only. WAF cannot prevent prompt injection attacks on Bedrock (WAF operates at HTTP layer, not semantic layer). This is a known misconception in the AIF-C01 and SCS-C02 question banks.
When a question describes setting up security monitoring for a NEW AWS account or AWS Organization, the recommended order is: (1) Enable AWS Organizations, (2) Enable GuardDuty with delegated admin, (3) Enable Security Hub with delegated admin and cross-region aggregation, (4) Enable Inspector and Macie as needed. Security Hub should be the LAST to enable so it can immediately start aggregating from the others.
The #1 exam trap is using GuardDuty when Inspector is needed (or vice versa). GuardDuty = active threat detection (IS something bad happening RIGHT NOW?). Inspector = vulnerability scanning (COULD something bad happen because of known CVEs?). When you see 'compromised', 'unusual activity', 'malware', 'exfiltration' → GuardDuty. When you see 'CVE', 'vulnerability', 'unpatched', 'software version' → Inspector. The second biggest trap is thinking Security Hub detects threats — it only aggregates findings from services that do.
CertAI Tutor · SCS-C02, DEA-C01, DOP-C02, SAA-C03, SAP-C02, AIF-C01, CLF-C02 · 2026-02-22
Services
Comparisons
Guides & Patterns