GuardDuty, Inspector & Security Hub
These services form the backbone of threat detection and security posture management in AWS.
When I first enabled them across the Lab, I ticked nearly every control and option available to see what they all did. That quickly became a lesson in cost awareness: the more you turn on, the more you pay.
The setup itself is straightforward:
- Guard Duty: handles threat detection using logs from CloudTrail, VPC Flow Logs, and DNS.
- Inspector: scans EC2 and container workloads for vulnerabilities and unintended network exposure.
- Security Hub: pulls it all together, aggregating findings across services and accounts into a unified view.
After some tuning by turning off what I didn’t need (at the moment), I landed on a cost-effective baseline. I revisit the configuration periodically to ensure it’s still aligned with what’s running in the Lab.
Tip: Start small, understand the findings, and expand once you're comfortable with what you see and why it matters.
Below are some features I have found and find interesting and I will continue to add as I learn more on these services:
Ignore Lambda Tag
There are two tags that instruct Inspector to skip scanning a lambda, which can be very useful. Details are here. I have wondered if having a Lambda remove this tag from all Lambdas at the start of the month and then add it back 24 hours later would be an interesting pattern, so we get monthly scans - maybe one for the near future.