AWS SCS-C03 Quick Revision

Domain 1 — Detection

A focused visual study sheet for Domain 1 only. This version uses a clean light study-board style rather than a resume-like theme, and it groups the services the same way exam questions usually test them: detect, aggregate, investigate, log, and query.

GuardDuty-first mindset Security Hub aggregation CloudTrail + EventBridge automation
Top priority
🛡️

Amazon GuardDuty

Managed intelligent threat detection

  • Best answer when the question asks for automatic threat detection with minimal setup.
  • Analyzes foundational sources such as CloudTrail management events, VPC Flow Logs, and Route 53 DNS query logs.
  • Detects compromised credentials, suspicious API calls, crypto-mining, malware-style behavior, and data exfiltration patterns.
  • Supports multi-account administration through AWS Organizations.
Central view
📊

AWS Security Hub

Aggregate findings and security posture

  • Use when the clue is centralize findings across accounts and Regions.
  • Aggregates findings from GuardDuty, Macie, Inspector, IAM Access Analyzer, Config, and partner tools.
  • Uses AWS Security Finding Format (ASFF).
  • Needs AWS Config enabled for many checks and standards.
Investigate
🕵️

Amazon Detective

Root-cause investigation after findings

  • Use after GuardDuty, Macie, or Security Hub finds something suspicious.
  • Helps answer: how did it happen, what was affected, what did the attacker do.
  • Builds a unified view using sources such as CloudTrail, VPC Flow Logs, and GuardDuty findings.
  • Think investigation, not first-line detection.
Logging and eventing

Detection backbone

CloudTrail

Who did what in the AWS account.

  • Management events are logged by default.
  • Data events are higher volume and not enabled by default.
  • Investigate CloudTrail first when resources are changed or deleted.
  • Default event history is 90 days unless you log to S3 or CloudTrail Lake.

CloudTrail Insights

Anomaly detection on write management events.

  • Detects unusual API activity patterns.
  • Useful for bursty IAM actions or unusual operational behavior.
  • Think unusual write activity, not full threat-detection replacement.

EventBridge

Automation trigger layer.

  • React to GuardDuty findings or CloudTrail events.
  • Common targets: SNS, Lambda, SQS, Step Functions.
  • Use for near-immediate workflows and remediation triggers.

CloudWatch

Metrics, alarms, and log analytics.

  • Best for alerting and operational monitoring.
  • Metric Filters can turn matching log patterns into metrics.
  • CloudWatch Alarms can alert on those metrics.
Data, vulnerabilities, and network clues

Supporting detection services

Amazon Macie

Use for sensitive data discovery in S3.

Finds PII, credentials, financial data, and policy issues in buckets.

Amazon Inspector

Use for vulnerability assessment.

Covers EC2, ECR container images, and Lambda packages.

VPC Flow Logs

Use to inspect network traffic patterns.

Good for port analysis, rejected traffic, and suspicious connectivity review.

Route 53 Resolver Query Logging

Use for DNS visibility inside VPCs.

Helpful for unusual query patterns and DNS investigation.

CloudWatch must-know

Logs, filters, alarms

  • Logs Insights is for searching and analyzing log data already in CloudWatch Logs.
  • Metric Filters extract patterns from logs and create CloudWatch metrics.
  • CloudWatch Alarms notify or trigger actions when metrics breach thresholds.
  • Contributor Insights shows top contributors such as top IPs, noisy hosts, or most common errors.
Real-time clue

Subscription filters

  • Use CloudWatch Logs subscription filters for real-time or near-real-time processing.
  • Common destinations: Lambda, Kinesis Data Streams, Kinesis Data Firehose, OpenSearch.
  • For exam questions asking for streaming logs as they arrive, this is the answer over Athena exports.
Query-at-rest

Athena

  • Best when logs are stored in S3 and you need serverless SQL analysis.
  • Frequently used with CloudTrail logs, VPC Flow Logs, and other exported security data.
  • Remember: Athena is query-based, not a real-time alerting engine.
GuardDuty advanced

Features exam questions like

  • Protection plans: S3 Protection, EKS Protection, Runtime Monitoring, Malware Protection for EC2, Lambda Protection, RDS Protection, Malware Protection for S3 and AWS Backup.
  • Findings: severity levels, finding types, and sample findings for testing automation.
  • Trusted IP list suppresses findings for known-good public IPs.
  • Threat IP list generates findings for known-malicious public IPs.
  • Suppression rules archive unwanted findings and keep dashboards cleaner.
GuardDuty traps

Easy-to-miss details

  • GuardDuty uses the default VPC DNS resolver for DNS-based findings.
  • Suppressed findings are not sent onward to services like Security Hub or EventBridge.
  • In multi-account setups, administrator accounts manage member findings, rules, trusted lists, and threat lists.
Security Hub exam detail

Must remember

  • AWS Config must be enabled for many Security Hub checks.
  • Security Hub can aggregate across multiple Regions and accounts.
  • GuardDuty findings flow into Security Hub in ASFF.
  • Security Hub Insights group related findings for quicker review.
Detective exam detail

Positioning

  • Detective is for triage, scoping, and investigation.
  • Use it after a finding to build a timeline and see affected entities.
  • Do not confuse it with first-line alerting.
Network visibility

Flow logs and DNS logs

  • VPC Flow Logs help identify source IP, destination IP, ports, and ACCEPT/REJECT actions.
  • Route 53 query logging supports DNS-level analysis.
  • Both commonly feed CloudWatch Logs, Athena, or downstream analytics.
Exam patterns

What the question is really asking

“Detect suspicious activity automatically across accounts.”
GuardDuty, often with delegated administrator setup.
“Centralize findings and compliance status.”
Security Hub, with Config enabled.
“Investigate the root cause of a finding.”
Detective.
“Track API activity / who changed something.”
CloudTrail.
“Send immediate notifications when certain events happen.”
EventBridge + SNS or Lambda.
“Find PII or sensitive data in S3.”
Macie.
“Identify vulnerabilities in workloads.”
Inspector.
“Top source IPs / top talkers / noisy contributors.”
CloudWatch Contributor Insights.
“Real-time processing of log events as they arrive.”
CloudWatch Logs subscription filter.
“Query logs stored in S3 with SQL.”
Athena.
Wrong-answer traps

What AWS wants you not to confuse

  • GuardDuty detects threats. Security Hub aggregates findings.
  • Detective investigates. It does not generate first-line detections.
  • CloudTrail records API activity. It is not a full managed threat detection service.
  • Athena queries logs already stored in S3. It is not a streaming processor.
  • CloudWatch Logs Insights searches logs. It is not the same as real-time subscription delivery.
  • Macie is for sensitive data in S3. Inspector is for vulnerabilities.
  • Contributor Insights is for top contributors and rankings, not broad threat-detection replacement.
Automation memory

Fast recall workflows

GuardDuty finding EventBridge rule SNS / Lambda / Step Functions
CloudTrail event EventBridge Alert or auto-remediation
CloudTrail or VPC Flow Logs in S3 Athena Serverless SQL investigation
CloudWatch Logs Logs Insights / Contributor Insights Search and rank suspicious behavior
CloudWatch Logs Subscription Filter Lambda / Kinesis / OpenSearch
Memory table

One-line mapping

Need Best service Remember this
Threat detection GuardDuty Minimal setup, managed findings, multi-account capable
Central findings dashboard Security Hub ASFF aggregation, standards, posture view, Config dependency
Root-cause investigation Detective Correlates entities and activity over time
API audit trail CloudTrail Who did what, when, and from where
API anomaly detection CloudTrail Insights Unusual write management-event patterns
Immediate workflow trigger EventBridge Route findings and events to actions
Search logs in CloudWatch Logs Insights Ad hoc queries over existing log groups
Real-time log fan-out Subscription Filter Stream matching logs to Lambda, Kinesis, Firehose
Top talkers / ranked contributors Contributor Insights Top IPs, most frequent errors, heavy users
S3 sensitive data discovery Macie PII, credentials, and data classification
Workload vulnerabilities Inspector EC2, ECR, Lambda vulnerability scanning
Network traffic evidence VPC Flow Logs Ports, IPs, accept/reject actions
SQL on security logs in S3 Athena Best for serverless querying of stored logs
Quick scenarios

Practice yourself

Scenario 1: A company wants to detect unusual outbound traffic from EC2 instances across many AWS accounts and have a centralized security team review the findings.

Best answer set: GuardDuty for detection, Security Hub for central aggregation, and EventBridge for alerting or automation.

Scenario 2: The team wants to find the top source IPs creating the most rejected traffic in CloudWatch Logs.

Best answer: CloudWatch Contributor Insights.

Scenario 3: The team stores CloudTrail logs in S3 and wants SQL-based investigation.

Best answer: Athena.

Final shortcut

30-second mental model

GuardDuty detects.

Security Hub collects.

Detective investigates.

CloudTrail records.

EventBridge reacts.

Domain 1: Detection