GuardDuty vs Inspector vs Macie vs Security Hub

Concepts Covered

• Threat detection
• Vulnerability management
• Sensitive data discovery
• Finding aggregation
• Security posture
• EventBridge routing
• Organizations delegated administration
• Exposure findings
• Incident triage
• SAA-C03 security service traps

1. Plain-English Mental Model

These four services answer four different security questions.

GuardDuty: Is something suspicious or malicious happening?
Inspector: Does this workload have vulnerabilities or unintended exposure?
Macie: Is sensitive data present or exposed in S3?
Security Hub: How do we aggregate, correlate, prioritize, and respond to findings?

The names sound similar because they all produce or handle findings. The exam distinction is what kind of finding and where it comes from.

2. Why This Service Exists

Cloud security has several different jobs.

One job is behavior detection. If credentials are used strangely, EC2 talks to suspicious domains, or S3 activity looks like exfiltration, the team needs threat detection. That is GuardDuty.

Another job is vulnerability management. If an EC2 instance has a vulnerable package, an ECR image contains a CVE, or a Lambda function has a vulnerable dependency, the team needs scanning and prioritization. That is Inspector.

Another job is data discovery. If S3 buckets contain PII, credentials, financial records, or sensitive data, the team needs classification. That is Macie.

Another job is security operations. Findings need to be centralized, correlated, deduplicated, prioritized, routed, and worked. That is Security Hub.

3. The Naive Approach And Where It Breaks

The naive approach is to pick one "security service" for every security problem.

That fails quickly:

• GuardDuty does not replace vulnerability scanning.
• Inspector does not discover PII in S3 objects.
• Macie does not detect compromised credentials across account activity.
• Security Hub does not eliminate the need for detectors.

Another mistake is assuming Security Hub only displays findings. Modern Security Hub also helps prioritize and correlate security signals, but it still relies on posture checks and integrated services for many signals.

The right approach is to name the signal first.

4. Core Primitives

GuardDuty monitors AWS data sources and logs. Foundational detection includes sources such as CloudTrail management events, VPC Flow Logs, and DNS logs, with additional protection plans for more resource-specific visibility.

Inspector discovers eligible workloads and scans EC2 instances, ECR container images, and Lambda functions for software vulnerabilities and unintended network exposure.

Macie analyzes S3 data estates for sensitive data and S3-related policy findings.

Security Hub ingests, normalizes, correlates, prioritizes, and routes security findings. It can receive findings from GuardDuty, Inspector, Macie, Security Hub CSPM, and partner products.

EventBridge can route findings from these services into response workflows.

5. Architecture Use Cases

Use GuardDuty for account compromise indicators, malicious IP communication, suspicious infrastructure activity, crypto-mining behavior, malware-related signals, and unusual API activity.

Use Inspector for CVE and vulnerability management across EC2, ECR, and Lambda, plus unintended network exposure findings where supported.

Use Macie for discovering sensitive data in S3, such as credentials, financial data, PII, PHI, or custom data identifiers.

Use Security Hub when the requirement is centralized security posture, correlated findings, standards checks, cross-account visibility, prioritization, or response integration.

In real organizations, use them together:

GuardDuty / Inspector / Macie -> Security Hub -> EventBridge -> ticket / workflow / SIEM

7. Security Model

All four services require careful account and Region strategy. Many security services are Regional. Enabling one Region is not the same as full coverage everywhere.

Use AWS Organizations and delegated administrator support where available so central security teams can manage services without working from the management account every day.

Use IAM to limit who can disable detectors, suppress findings, change standards, archive evidence, or alter integrations.

Do not treat findings as proof without investigation. A finding is a signal. The response should use CloudTrail, logs, resource state, ownership, and business context.

8. Reliability And Resilience

Security coverage should be part of the landing zone baseline. New accounts should not start life without detection.

Route important findings through reliable paths. For critical workflows, consider queues, retries, dead-letter queues, and tested incident tooling.

Use sample findings to test routing. A beautiful EventBridge rule that no one has tested is not a response workflow.

Avoid noisy alerting. Too much low-value noise makes responders miss high-value signals.

Centralize evidence. CloudTrail and log archive patterns help responders validate findings even if the workload account is compromised.

9. Performance And Scaling

These are managed services, but downstream processing can bottleneck.

If every Security Hub finding triggers Lambda enrichment, ticket creation, chat messages, and SIEM ingestion, high-volume findings can create operational backpressure.

Use severity, finding type, resource tags, and account context to route intelligently.

Macie discovery jobs and Inspector scans should be scoped with cost and signal quality in mind.

GuardDuty protection plans can add valuable coverage, but the team should understand which logs and resources are being monitored.

10. Cost Model

GuardDuty cost depends on analyzed data and enabled protection plans.

Inspector cost depends on covered resources and scanning activity.

Macie cost depends on S3 inventory and sensitive data discovery.

Security Hub cost depends on checks, findings, and enabled capabilities.

Cost traps come from enabling broad coverage with no routing, ownership, or tuning plan. That does not mean avoid security services. It means turn findings into action and manage scope deliberately.

12. SAA-C03 Exam Signals

"Detect suspicious or malicious activity" points to GuardDuty.

"Detect compromised credentials" points to GuardDuty.

"Scan EC2, ECR, or Lambda for vulnerabilities" points to Inspector.

"Find sensitive data in S3" points to Macie.

"Aggregate findings across AWS security services" points to Security Hub.

"Route findings to response workflow" often points to EventBridge with the finding source.

"Centralize security posture across accounts" often points to Security Hub and Organizations.

13. Common Exam Traps

Do not use Inspector for PII discovery.

Do not use Macie for EC2 package vulnerability scanning.

Do not use GuardDuty as a compliance standards dashboard.

Do not assume Security Hub is always the original detector.

Do not forget Regions.

Do not confuse detection with prevention. Findings still need response.

15. Related Topics

Review Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Security Hub, and Centralized Security Findings And Incident Triage.

Official AWS references:

• What is Amazon GuardDuty?
• What is Amazon Inspector?
• Discovering sensitive data with Macie
• Introduction to AWS Security Hub