| Feature/Service | Amazon Detective | Amazon GuardDuty | Amazon Inspector | AWS Security Hub |
|---|---|---|---|---|
| Purpose | Security investigation and analysis tool | Threat detection and continuous security monitoring | Vulnerability scanning and assessment of EC2 instances and containers | Centralized security management and compliance monitoring |
| Primary Function | Helps investigate and analyze security findings from multiple data sources | Detects malicious or unauthorized activity within AWS environments | Identifies security vulnerabilities and deviations from best practices | Aggregates, organizes, and visualizes security findings from multiple AWS services |
| Integration | Integrates with GuardDuty, CloudTrail, VPC Flow Logs, and AWS Logs | Works with CloudTrail, VPC Flow Logs, and DNS logs | Works with EC2 instances, container services, and Lambda functions | Integrates with GuardDuty, Inspector, Detective, WAF, and other AWS security services |
| Focus Area | Focuses on visualizing, exploring, and investigating potential security issues | Focuses on detecting anomalies and threats across AWS accounts, regions, and resources | Focuses on identifying vulnerabilities within EC2 instances and container environments | Centralized management of security alerts and compliance status across AWS services |
| Data Sources | VPC Flow Logs, CloudTrail Logs, GuardDuty findings, and other AWS data sources | CloudTrail, VPC Flow Logs, DNS logs, and AWS security findings | Amazon EC2 metadata, system configurations, network configurations, and container images | Aggregates findings from GuardDuty, Inspector, WAF, Firewall Manager, and other AWS services |
| Alerts & Findings | Provides detailed investigation workflows, including visualizations and context about findings | Provides security alerts and findings for potential threats like unauthorized access, data exfiltration, or compromised instances | Provides vulnerability findings, such as missing patches, misconfigurations, or CVEs | Consolidates and visualizes security findings from across AWS services |
| Automation | No direct automated remediation (focuses on investigation) | Can trigger automatic responses through AWS Lambda (e.g., blocking suspicious IPs) | Can be automated through rules, scheduling scans, and integration with other services like AWS Systems Manager | Can automate response actions using AWS Lambda or partner solutions |
| Coverage | Primarily focuses on analyzing and investigating existing security incidents | Continuous monitoring for unusual or suspicious activity within AWS environments | Continuous assessment of vulnerabilities in Amazon EC2 instances and containerized applications | Provides a centralized view and insights into security posture and compliance across AWS |
| Compliance Use Case | Helps with forensic analysis and root-cause analysis of potential incidents | Helps to detect security threats early, improving overall security posture | Helps ensure EC2 instances and container environments adhere to best practices and are free from vulnerabilities | Tracks and aggregates compliance checks across AWS environments, including AWS CIS, PCI-DSS, HIPAA, etc. |
| Real-time Monitoring | No real-time threat detection but provides in-depth analysis after an event | Provides real-time threat detection and alerting | Provides vulnerability scanning, not real-time threat detection | Offers real-time aggregation of findings from connected AWS services |
| Pricing | Pay-as-you-go pricing based on data ingested for analysis | Pay-as-you-go pricing based on the number of AWS resources monitored | Pay-as-you-go pricing based on the number of EC2 instances and containers being scanned | Pay-as-you-go pricing based on the volume of security findings aggregated and processed |
| Key Use Cases | – Investigating security incidents or breaches – Root cause analysis of suspicious activity | – Detecting threats and anomalies (e.g., compromised IAM roles, unusual API calls) – Real-time threat monitoring | – Identifying vulnerabilities in EC2 instances and containers – Scanning for unpatched systems and configuration issues | – Aggregating security findings from GuardDuty, Inspector, and other services – Automating compliance checks and security responses |
Key Differences:
- Amazon Detective is primarily for investigation and analysis of security incidents after they occur, offering deep dive visualizations.
- Amazon GuardDuty focuses on real-time threat detection and alerts you to potential security issues.
- Amazon Inspector specializes in vulnerability scanning for EC2 instances and containers, ensuring resources are secure.
- AWS Security Hub acts as a centralized platform to aggregate, organize, and manage findings from multiple security services like GuardDuty, Inspector, WAF, and Firewall Manager. It enables comprehensive security posture management and compliance monitoring across your AWS environment.
How They Work Together:
- Amazon GuardDuty detects security threats, which are then investigated in depth using Amazon Detective.
- Amazon Inspector can identify vulnerabilities in your EC2 instances, preventing potential exploits that might be detected by GuardDuty.
- AWS Security Hub serves as a single pane of glass that brings together findings from GuardDuty, Detective, Inspector, and other AWS services. It helps you manage security alerts and automate responses.