AWS Certified CloudOps Engineer - Associate (SOA-C03) #13 Domain 5-2 Security — Config, CloudTrail, GuardDuty, Security Hub, KMS

5 min read

In #12 we covered identity and governance; this post deals with the operational tools that track what happened (audit), detect and remediate wrong states, and encrypt data. The core services of the security domain are gathered here, and because their names are similar they’re easy to confuse, so the exam point is to distinguish them by what each one looks at.

Distinguishing the Roles of the Four Services #

Let’s start with the big picture. Half the confusion comes from having a fuzzy sense of the boundaries between these four.

ServiceWhat it looks atIn one line
CloudTrailWho called which APIRecord of actions (audit log)
ConfigWhat configuration a resource has and whether it follows the rulesConfiguration state,compliance
GuardDutyWhether there’s malicious,anomalous activityThreat detection
Security HubA security score that aggregates the aboveUnified dashboard

CloudTrail: API Audit #

It records every API call that happens in the account. It logs who (the principal), when, what (the action), and from where (source IP).

  • Management events: resource create,delete,configuration change, etc. Recorded by default
  • Data events: high-volume events like S3 object reads,writes, Lambda invocations. Disabled by default (configured separately)
  • Organization Trail: collects events from all accounts in one place
  • Log integrity: detects tampering via log file integrity validation
  • Send CloudTrail logs to CloudWatch Logs to apply metric filters,alarms (#3) for real-time alerting

The answer to “track who deleted this resource” is CloudTrail. “Notify immediately on root login,permission change” is CloudTrail → CloudWatch Logs → alarm.

AWS Config: Configuration Compliance #

Config records the configuration of resources over time and evaluates compliance with rules (Rule).

FeatureDescription
Configuration RecorderContinuously records resource configuration changes (timeline)
Config RuleEvaluates compliance against rules like “S3 must be encrypted”
RemediationAuto-remediates violations with SSM Automation
Conformance PackDeploys a bundle of rules as a standard in one go

The difference from CloudTrail is the key point. CloudTrail looks at actions (who called it), Config looks at state (whether the current configuration matches the rule). The answer to “find unencrypted volumes and auto-remediate them” is Config Rule + auto-remediation. “View the history of when and how the configuration changed” is also Config.

GuardDuty: Threat Detection #

GuardDuty analyzes CloudTrail,VPC Flow Logs,DNS logs with machine learning to detect threats. You don’t need to turn on or manage the logs directly; it works once you simply turn it on.

  • Detects abnormal API calls, communication with known malicious IPs, cryptocurrency mining, signs of credential exfiltration, and more
  • Connect automated response (isolation,notification) by receiving findings (Finding) via EventBridge
  • For multi-account, consolidate all accounts with a delegated administrator

The answer to “automatically detect signs of compromise or malicious activity” is GuardDuty. Unlike Config (compliance),CloudTrail (records), the dividing line is that it’s active threat detection.

Security Hub: Unified Security Management #

It aggregates, standardizes, and scores the findings of several security services (GuardDuty,Inspector,Macie,Config) in one place.

  • A compliance score against security standards (standard) like CIS,AWS best practices
  • A unified dashboard for security findings across all accounts
  • Automated response by receiving findings via EventBridge

The answer to “view the findings of several security services on one screen and check best-practice compliance” is Security Hub.

Auxiliary Tools Often Grouped Together #

ServiceDetection target
InspectorAutomatically scans software vulnerabilities (CVE) of EC2,containers,Lambda
MacieDetects sensitive data (personal information) in S3

“Detect whether personal information exists in S3” is Macie, “scan vulnerabilities of instances,images” is Inspector. Together with the ECR scan in #9, they form the axis of vulnerability operations.

KMS: Encryption Operations #

It’s central to data encryption. Let’s focus on the operational points.

Key typeManaging party
AWS managed keyManaged by AWS. Automatic rotation
Customer managed key (CMK)The user controls policy,rotation,deletion
  • Key Policy: defines who can access the key. The core of cross-account key sharing
  • Automatic rotation: customer managed keys can also be set to rotate automatically once a year
  • Envelope encryption: encrypt data with a data key, and encrypt the data key with a KMS key
  • For S3,EBS,RDS and the like, specify a KMS key for encryption at rest

The answer to “directly control the encryption key and share it across accounts” is a customer managed key + key policy.

Exam Question Patterns #

  • Who deleted a resource → CloudTrail
  • Whether the configuration matches the rule / auto-remediation → Config Rule + Remediation (SSM)
  • Automatically detect malicious,anomalous activity → GuardDuty
  • Aggregate,score several security findings → Security Hub
  • Scan EC2,image vulnerabilities → Inspector
  • Detect sensitive data in S3 → Macie
  • Directly control the encryption key,cross-account → KMS customer managed key + key policy

Common Pitfalls #

1) Confusing CloudTrail and Config #

CloudTrail is about actions (API calls), Config is about state (configuration compliance). “Who changed it” is CloudTrail, “does it match the rule right now” is Config.

2) Thinking GuardDuty requires log configuration #

GuardDuty analyzes the source logs without you having to turn them on directly. You just enable it.

3) Assuming S3 data events are recorded by default #

CloudTrail records only management events by default. S3 object-level data events must be turned on separately.

4) Misunderstanding that Security Hub detects directly #

Security Hub is not a detector but aggregation,standardization,scoring. The actual detection is done by GuardDuty,Inspector,Config and others.

Summary #

What we covered in this post:

  • The boundaries of the four services: CloudTrail (record of actions),Config (configuration compliance),GuardDuty (threat detection),Security Hub (unified score)
  • CloudTrail covers management/data events, organization trail, integrity validation. Real-time alarms via CloudWatch Logs integration
  • Config covers the configuration timeline + rules + SSM auto-remediation + Conformance Pack
  • GuardDuty does active threat detection without log configuration, automated response via EventBridge
  • Inspector (vulnerabilities),Macie (S3 sensitive data) are the auxiliary axes
  • Control encryption,cross-account sharing with KMS customer managed key + key policy

Next: Exam Tips and Frequently Missed Patterns #

We’ve finished all five domains. Next is the just-before-the-exam summary.

In #14 Exam Tips and Frequently Missed Operational Scenario Patterns, I’ll cover the recurring pitfalls that cut across domains, the keywords that separate similar services, time allocation and how to read questions, and a final checklist.

X