AWS Certified CloudOps Engineer - Associate (SOA-C03) #13 Domain 5-2 Security — Config, CloudTrail, GuardDuty, Security Hub, KMS
In #12 we covered identity and governance; this post deals with the operational tools that track what happened (audit), detect and remediate wrong states, and encrypt data. The core services of the security domain are gathered here, and because their names are similar they’re easy to confuse, so the exam point is to distinguish them by what each one looks at.
Distinguishing the Roles of the Four Services #
Let’s start with the big picture. Half the confusion comes from having a fuzzy sense of the boundaries between these four.
| Service | What it looks at | In one line |
|---|---|---|
| CloudTrail | Who called which API | Record of actions (audit log) |
| Config | What configuration a resource has and whether it follows the rules | Configuration state,compliance |
| GuardDuty | Whether there’s malicious,anomalous activity | Threat detection |
| Security Hub | A security score that aggregates the above | Unified dashboard |
CloudTrail: API Audit #
It records every API call that happens in the account. It logs who (the principal), when, what (the action), and from where (source IP).
- Management events: resource create,delete,configuration change, etc. Recorded by default
- Data events: high-volume events like S3 object reads,writes, Lambda invocations. Disabled by default (configured separately)
- Organization Trail: collects events from all accounts in one place
- Log integrity: detects tampering via log file integrity validation
- Send CloudTrail logs to CloudWatch Logs to apply metric filters,alarms (#3) for real-time alerting
The answer to “track who deleted this resource” is CloudTrail. “Notify immediately on root login,permission change” is CloudTrail → CloudWatch Logs → alarm.
AWS Config: Configuration Compliance #
Config records the configuration of resources over time and evaluates compliance with rules (Rule).
| Feature | Description |
|---|---|
| Configuration Recorder | Continuously records resource configuration changes (timeline) |
| Config Rule | Evaluates compliance against rules like “S3 must be encrypted” |
| Remediation | Auto-remediates violations with SSM Automation |
| Conformance Pack | Deploys a bundle of rules as a standard in one go |
The difference from CloudTrail is the key point. CloudTrail looks at actions (who called it), Config looks at state (whether the current configuration matches the rule). The answer to “find unencrypted volumes and auto-remediate them” is Config Rule + auto-remediation. “View the history of when and how the configuration changed” is also Config.
GuardDuty: Threat Detection #
GuardDuty analyzes CloudTrail,VPC Flow Logs,DNS logs with machine learning to detect threats. You don’t need to turn on or manage the logs directly; it works once you simply turn it on.
- Detects abnormal API calls, communication with known malicious IPs, cryptocurrency mining, signs of credential exfiltration, and more
- Connect automated response (isolation,notification) by receiving findings (Finding) via EventBridge
- For multi-account, consolidate all accounts with a delegated administrator
The answer to “automatically detect signs of compromise or malicious activity” is GuardDuty. Unlike Config (compliance),CloudTrail (records), the dividing line is that it’s active threat detection.
Security Hub: Unified Security Management #
It aggregates, standardizes, and scores the findings of several security services (GuardDuty,Inspector,Macie,Config) in one place.
- A compliance score against security standards (standard) like CIS,AWS best practices
- A unified dashboard for security findings across all accounts
- Automated response by receiving findings via EventBridge
The answer to “view the findings of several security services on one screen and check best-practice compliance” is Security Hub.
Auxiliary Tools Often Grouped Together #
| Service | Detection target |
|---|---|
| Inspector | Automatically scans software vulnerabilities (CVE) of EC2,containers,Lambda |
| Macie | Detects sensitive data (personal information) in S3 |
“Detect whether personal information exists in S3” is Macie, “scan vulnerabilities of instances,images” is Inspector. Together with the ECR scan in #9, they form the axis of vulnerability operations.
KMS: Encryption Operations #
It’s central to data encryption. Let’s focus on the operational points.
| Key type | Managing party |
|---|---|
| AWS managed key | Managed by AWS. Automatic rotation |
| Customer managed key (CMK) | The user controls policy,rotation,deletion |
- Key Policy: defines who can access the key. The core of cross-account key sharing
- Automatic rotation: customer managed keys can also be set to rotate automatically once a year
- Envelope encryption: encrypt data with a data key, and encrypt the data key with a KMS key
- For S3,EBS,RDS and the like, specify a KMS key for encryption at rest
The answer to “directly control the encryption key and share it across accounts” is a customer managed key + key policy.
Exam Question Patterns #
- Who deleted a resource → CloudTrail
- Whether the configuration matches the rule / auto-remediation → Config Rule + Remediation (SSM)
- Automatically detect malicious,anomalous activity → GuardDuty
- Aggregate,score several security findings → Security Hub
- Scan EC2,image vulnerabilities → Inspector
- Detect sensitive data in S3 → Macie
- Directly control the encryption key,cross-account → KMS customer managed key + key policy
Common Pitfalls #
1) Confusing CloudTrail and Config #
CloudTrail is about actions (API calls), Config is about state (configuration compliance). “Who changed it” is CloudTrail, “does it match the rule right now” is Config.
2) Thinking GuardDuty requires log configuration #
GuardDuty analyzes the source logs without you having to turn them on directly. You just enable it.
3) Assuming S3 data events are recorded by default #
CloudTrail records only management events by default. S3 object-level data events must be turned on separately.
4) Misunderstanding that Security Hub detects directly #
Security Hub is not a detector but aggregation,standardization,scoring. The actual detection is done by GuardDuty,Inspector,Config and others.
Summary #
What we covered in this post:
- The boundaries of the four services: CloudTrail (record of actions),Config (configuration compliance),GuardDuty (threat detection),Security Hub (unified score)
- CloudTrail covers management/data events, organization trail, integrity validation. Real-time alarms via CloudWatch Logs integration
- Config covers the configuration timeline + rules + SSM auto-remediation + Conformance Pack
- GuardDuty does active threat detection without log configuration, automated response via EventBridge
- Inspector (vulnerabilities),Macie (S3 sensitive data) are the auxiliary axes
- Control encryption,cross-account sharing with KMS customer managed key + key policy
Next: Exam Tips and Frequently Missed Patterns #
We’ve finished all five domains. Next is the just-before-the-exam summary.
In #14 Exam Tips and Frequently Missed Operational Scenario Patterns, I’ll cover the recurring pitfalls that cut across domains, the keywords that separate similar services, time allocation and how to read questions, and a final checklist.