Exam Context #
- Exam: AWS SAP-C02
- Scenario Category: Security & Compliance
- Decision Focus: Threat detection vs compliance monitoring vs security aggregation
The SAP-C02 exam tests your ability to design comprehensive security monitoring architectures that address both threat detection and compliance requirements. These scenarios require understanding the distinct purposes of each security service and how they integrate into a cohesive security posture.
👉🏻 Read more pillar articles at Pillars
| Exam Aspect | Details |
|---|---|
| Question Frequency | 12-15% of exam content |
| Primary Services | GuardDuty, Config, Security Hub, CloudTrail, Detective |
| Common Scenarios | Multi-account security, compliance automation, incident response |
| Key Integrations | EventBridge, SNS, Lambda, S3, Organizations |
| Compliance Frameworks | PCI-DSS, HIPAA, SOC 2, CIS Benchmarks |
Why SAP-C02 Tests Security Monitoring #
Enterprise security monitoring is non-negotiable for organizations operating in AWS. The exam tests this domain because architects must understand how different security services complement each other and when each is appropriate. Selecting the wrong service or misconfiguring security monitoring creates blind spots that attackers exploit.
| Security Challenge | Without Proper Monitoring | With Proper Monitoring |
|---|---|---|
| Compromised credentials | Undetected for months | Detected within minutes |
| Configuration drift | Compliance failures discovered in audits | Real-time compliance visibility |
| Cryptocurrency mining | Discovered via billing spike | Detected via anomaly detection |
| Data exfiltration | Discovered after breach disclosure | Detected via unusual API patterns |
| Privilege escalation | Undetected lateral movement | Detected via behavior analysis |
| Compliance violations | Manual audit findings | Automated continuous assessment |
Typical enterprise contexts in SAP questions include:
Multi-account security monitoring where organizations need centralized visibility across hundreds of AWS accounts. These scenarios test whether you understand delegated administrator patterns and cross-account finding aggregation.
Compliance automation where organizations must continuously demonstrate compliance with regulatory frameworks. These questions probe understanding of Config rules, conformance packs, and remediation automation.
Incident response preparation where organizations need to detect, investigate, and respond to security incidents. These scenarios test integration patterns between detection services and response automation.
Cost-effective security where organizations must balance security coverage with budget constraints. These questions test understanding of service pricing models and optimization strategies.
Core Security Service Concepts #
Amazon GuardDuty #
GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior:
| Data Source | What It Analyzes | Threat Types Detected |
|---|---|---|
| CloudTrail Events | API calls | Credential compromise, privilege escalation |
| VPC Flow Logs | Network traffic | Port scanning, data exfiltration, C2 communication |
| DNS Logs | DNS queries | Malware callbacks, cryptocurrency mining |
| S3 Data Events | S3 API calls | Unusual data access, bucket enumeration |
| EKS Audit Logs | Kubernetes API | Container threats, pod security issues |
| RDS Login Activity | Database logins | Anomalous database access |
| Lambda Network Activity | Function behavior | Compromised functions, unusual destinations |
| Runtime Monitoring | Process/file activity | Malware, cryptominers, container escapes |
Key GuardDuty characteristics:
- No agents required for most data sources (agentless)
- Automatic analysis—no rules to write for standard threats
- Regional service—must be enabled per region
- Findings include remediation recommendations
- Integrates with Organizations for multi-account deployment
AWS Config #
Config provides configuration recording and compliance assessment:
Key Config characteristics:
- Records configuration changes for supported resources
- Evaluates compliance continuously or on schedule
- Supports both AWS managed and custom rules
- Provides configuration timeline for forensics
- Regional service with cross-account aggregation capability
AWS Security Hub #
Security Hub aggregates security findings and provides security posture scoring:
| Feature | Purpose | Benefit |
|---|---|---|
| Finding Aggregation | Centralize findings from multiple services | Single pane of glass |
| Security Standards | Pre-built compliance checks | CIS, PCI-DSS, AWS Best Practices |
| Security Score | Quantified security posture | Executive reporting |
| Custom Actions | Trigger automated responses | Incident response automation |
| Cross-Region Aggregation | Consolidate findings across regions | Global visibility |
| Third-Party Integration | Import external security findings | Unified security view |
Key Security Hub characteristics:
- Normalizes findings to AWS Security Finding Format (ASFF)
- Provides automated security checks via security standards
- Enables cross-account and cross-region aggregation
- Supports custom insights for finding analysis
- Integrates with EventBridge for automated response
Service Comparison Matrix #
Understanding when to use each service is critical for SAP-C02:
| Requirement | GuardDuty | Config | Security Hub |
|---|---|---|---|
| Detect active threats | ✅ Primary purpose | ❌ Not designed for | ⚠️ Aggregates findings |
| Track configuration changes | ❌ Not designed for | ✅ Primary purpose | ❌ Not designed for |
| Compliance assessment | ❌ Not designed for | ✅ Primary purpose | ✅ Security standards |
| Aggregate findings | ❌ Single service | ❌ Single service | ✅ Primary purpose |
| Remediate issues | ❌ Detection only | ✅ Remediation actions | ⚠️ Custom actions |
| Security scoring | ❌ Not provided | ❌ Not provided | ✅ Primary purpose |
| Historical analysis | ⚠️ 90-day retention | ✅ Full history | ⚠️ 90-day retention |
| Custom detection rules | ⚠️ Suppression only | ✅ Custom rules | ⚠️ Custom insights |
Common SAP Exam Traps #
Confusing Detection with Compliance #
SAP scenarios may present requirements that sound similar but require different services:
| Scenario Description | Correct Service | Why Not the Other |
|---|---|---|
| “Detect unauthorized API calls” | GuardDuty | Config tracks configuration, not API behavior |
| “Ensure S3 buckets are encrypted” | Config | GuardDuty detects threats, not configuration |
| “Identify compromised credentials” | GuardDuty | Config cannot detect credential misuse |
| “Verify security groups comply with policy” | Config | GuardDuty doesn’t evaluate configurations |
| “Detect cryptocurrency mining” | GuardDuty | Config cannot detect runtime behavior |
| “Track configuration changes over time” | Config | GuardDuty doesn’t record configurations |
The trap is selecting GuardDuty for compliance scenarios or Config for threat detection scenarios. Read carefully to identify whether the requirement is about detecting malicious behavior or ensuring configuration compliance.
Assuming Security Hub Replaces Other Services #
Security Hub aggregates findings but does not replace the services that generate them:
| Misconception | Reality |
|---|---|
| “Security Hub detects threats” | Security Hub aggregates GuardDuty findings; GuardDuty detects threats |
| “Security Hub replaces Config” | Security Hub runs security standards; Config provides compliance rules |
| “Enable Security Hub for complete security” | Security Hub requires other services to generate findings |
| “Security Hub provides all compliance checks” | Security Hub standards are security-focused; Config provides broader compliance |
The trap is selecting Security Hub alone when the scenario requires threat detection or compliance monitoring. Security Hub is an aggregation and scoring layer, not a replacement for detection services.
Overlooking Regional Deployment Requirements #
Most security services are regional and require explicit multi-region configuration:
| Service | Regional Behavior | Multi-Region Strategy |
|---|---|---|
| GuardDuty | Per-region enablement | Enable in all active regions |
| Config | Per-region recorder | Aggregator for cross-region view |
| Security Hub | Per-region findings | Cross-region aggregation to single region |
| CloudTrail | Per-region or organization trail | Organization trail for all regions |
| Detective | Per-region graphs | Enable in regions with GuardDuty |
The trap is assuming that enabling a security service in one region provides global coverage. SAP scenarios often include requirements for “all regions” or “global visibility” that require explicit multi-region deployment strategies.
Misunderstanding Finding Retention #
Security services have different retention periods that affect investigation capabilities:
| Service | Default Retention | Extended Retention | Archive Strategy |
|---|---|---|---|
| GuardDuty | 90 days | Not available | Export to S3 via EventBridge |
| Security Hub | 90 days | Not available | Export to S3 via EventBridge |
| Config | Unlimited (in S3) | N/A - already unlimited | S3 lifecycle policies |
| CloudTrail | 90 days (Event History) | Unlimited (S3 trail) | S3 + Glacier lifecycle |
| Detective | 12 months | Not available | N/A |
The trap is assuming findings are retained indefinitely or that investigation is possible beyond retention periods without explicit archival strategies.
Confusing Config Rules with Config Recording #
Config has two distinct functions that serve different purposes:
| Function | Purpose | Requirement |
|---|---|---|
| Configuration Recording | Track resource configurations | Required for compliance evaluation |
| Config Rules | Evaluate compliance | Requires recording to be enabled |
| Conformance Packs | Bundled rule sets | Requires recording and rules |
| Remediation | Fix non-compliant resources | Requires rules to identify issues |
The trap is assuming Config rules work without enabling the configuration recorder, or confusing configuration recording (tracking changes) with compliance evaluation (checking against rules).
Decision Framework (Architect View) #
Selecting Security Monitoring Services #
The primary decision framework for security monitoring:
| Requirement | Primary Service | Supporting Services |
|---|---|---|
| Threat detection | GuardDuty | Security Hub, Detective |
| Compliance monitoring | Config | Security Hub, Audit Manager |
| Security posture scoring | Security Hub | GuardDuty, Config, Inspector |
| Incident investigation | Detective | CloudTrail, GuardDuty |
| Vulnerability management | Inspector | Security Hub, Systems Manager |
| Data security | Macie | Security Hub, GuardDuty |
| Audit evidence | Audit Manager | Config, CloudTrail |
Multi-Account Security Architecture #
For organizations using AWS Organizations, security services support delegated administration:
| Service | Delegated Admin Support | Organization Integration |
|---|---|---|
| GuardDuty | Yes | Auto-enable for new accounts |
| Config | Yes (Aggregator) | Organization conformance packs |
| Security Hub | Yes | Auto-enable for new accounts |
| CloudTrail | Yes (Organization trail) | Single trail for all accounts |
| Detective | Yes | Behavior graphs across accounts |
| Macie | Yes | Auto-enable for new accounts |
| Inspector | Yes | Auto-enable for new accounts |
Compliance Framework Mapping #
Different compliance frameworks require different service combinations:
| Framework | Primary Services | Key Requirements |
|---|---|---|
| PCI-DSS | Config, Security Hub, GuardDuty | Continuous compliance, threat detection |
| HIPAA | Config, Macie, CloudTrail | Data protection, audit trails |
| SOC 2 | Config, Audit Manager, CloudTrail | Evidence collection, change tracking |
| CIS Benchmarks | Security Hub, Config | Configuration standards |
| NIST 800-53 | All services | Comprehensive security controls |
| GDPR | Macie, Config, CloudTrail | Data discovery, access logging |
Integration Patterns #
Automated Remediation Architecture #
Security findings should trigger automated remediation where appropriate:
| Finding Type | Remediation Approach | Automation Method |
|---|---|---|
| Non-compliant Config | Auto-remediation | SSM Automation document |
| GuardDuty high severity | Isolate resource | Lambda + Step Functions |
| Security Hub critical | Alert + ticket | EventBridge + SNS + ServiceNow |
| Public S3 bucket | Block public access | Config remediation action |
| Unused IAM credentials | Disable credentials | Lambda function |
Security Data Lake Architecture #
For long-term security analytics, organizations build security data lakes:
| Data Source | Export Method | Storage Format | Query Tool |
|---|---|---|---|
| GuardDuty findings | EventBridge → Firehose | Parquet | Athena |
| Security Hub findings | EventBridge → Firehose | Parquet | Athena |
| CloudTrail logs | Direct to S3 | JSON/Parquet | Athena |
| Config snapshots | Direct to S3 | JSON | Athena |
| VPC Flow Logs | Direct to S3 | Parquet | Athena |
| WAF logs | Direct to S3 | JSON | Athena |
SIEM Integration Pattern #
Many organizations integrate AWS security services with existing SIEM solutions:
| SIEM Platform | Integration Method | Data Sources |
|---|---|---|
| Splunk | Splunk Add-on for AWS | CloudTrail, GuardDuty, Security Hub |
| Datadog | Native AWS integration | All security services |
| Sumo Logic | AWS integrations | CloudTrail, GuardDuty, VPC Flow Logs |
| Elastic SIEM | Filebeat + S3 | All S3-exported logs |
| Microsoft Sentinel | AWS connector | CloudTrail, GuardDuty |
| IBM QRadar | AWS DSM | CloudTrail, GuardDuty |
Advanced Patterns #
GuardDuty Protection Plans #
GuardDuty offers multiple protection plans for different workload types:
| Protection Plan | Coverage | Additional Cost | Use Case |
|---|---|---|---|
| Foundational | CloudTrail, VPC Flow, DNS | Base pricing | All accounts |
| S3 Protection | S3 data events | Per GB analyzed | Data-sensitive workloads |
| EKS Protection | EKS audit logs | Per million events | Kubernetes workloads |
| RDS Protection | RDS login activity | Per million events | Database workloads |
| Lambda Protection | Lambda network activity | Per GB analyzed | Serverless workloads |
| Runtime Monitoring | EC2/ECS/EKS runtime | Per vCPU hour | Deep threat detection |
| Malware Protection | EBS volume scanning | Per GB scanned | Malware detection |
Config Aggregator Patterns #
For enterprise-scale compliance visibility, Config aggregators consolidate data:
| Aggregator Type | Scope | Use Case |
|---|---|---|
| Organization aggregator | All accounts in organization | Enterprise compliance dashboard |
| Account aggregator | Specific accounts | Business unit compliance |
| Region aggregator | Multiple regions, single account | Global resource compliance |
Security Hub Custom Actions #
Custom actions enable integration with external systems and workflows:
| Custom Action Use Case | Target | Implementation |
|---|---|---|
| Create JIRA ticket | JIRA | EventBridge → Lambda → JIRA API |
| Isolate EC2 instance | EC2 | EventBridge → Lambda → EC2 API |
| Block IP in WAF | WAF | EventBridge → Lambda → WAF API |
| Send to Slack | Slack | EventBridge → Lambda → Slack webhook |
| Trigger runbook | Systems Manager | EventBridge → SSM Automation |
| Enrich finding | Security Hub | EventBridge → Lambda → BatchUpdateFindings |
Detective Investigation Workflow #
Amazon Detective provides investigation capabilities for GuardDuty findings:
| Investigation Capability | Data Source | Analysis Type |
|---|---|---|
| Entity behavior | CloudTrail, VPC Flow Logs | Timeline analysis |
| Resource relationships | AWS resource data | Graph visualization |
| Geolocation analysis | IP address data | Location mapping |
| API call patterns | CloudTrail | Anomaly detection |
| Network traffic patterns | VPC Flow Logs | Communication analysis |
Real-World Mapping #
In enterprise environments, security monitoring architecture reflects organizational maturity:
| Maturity Level | Typical Architecture | Key Characteristics |
|---|---|---|
| Basic | GuardDuty + CloudTrail | Threat detection, audit logging |
| Intermediate | + Config + Security Hub | Compliance monitoring, aggregation |
| Advanced | + Detective + Macie + Inspector | Investigation, data security, vulnerabilities |
| Enterprise | + SIEM + Security Data Lake | Correlation, long-term analytics |
Cost Optimization Strategies #
Security monitoring costs can be significant at scale:
| Service | Cost Driver | Optimization Strategy |
|---|---|---|
| GuardDuty | Data volume analyzed | Disable unused protection plans |
| Config | Rules evaluated, resources recorded | Limit to required resource types |
| Security Hub | Findings ingested | Archive old findings, tune rules |
| CloudTrail | Data events, insights | Selective data event logging |
| Detective | Data ingested | Enable only where needed |
| Macie | Data scanned | Targeted bucket selection |
SAP-C02 Takeaway Rules #
IF the scenario requires detecting active threats like credential compromise or cryptocurrency mining, THEN GuardDuty is the appropriate service—it analyzes behavior patterns to identify malicious activity.
IF the scenario requires ensuring resources comply with configuration policies, THEN AWS Config is the appropriate service—it evaluates configurations against rules.
IF the scenario requires centralizing security findings from multiple services, THEN Security Hub is the appropriate service—it aggregates and normalizes findings.
IF the scenario requires investigating the root cause of a security incident, THEN Amazon Detective is the appropriate service—it provides entity behavior analysis and relationship graphs.
IF the scenario mentions multi-account security monitoring, THEN use delegated administrator patterns—designate a security account to manage security services across the organization.
IF the scenario requires compliance with specific frameworks like PCI-DSS or CIS, THEN Security Hub security standards provide automated compliance checks—but Config rules may be needed for additional requirements.
IF the scenario requires long-term retention of security findings beyond 90 days, THEN export findings to S3 via EventBridge—native retention is limited.
IF the scenario requires automated remediation of security issues, THEN Config remediation actions or EventBridge-triggered Lambda functions provide automation capabilities.
IF the scenario mentions global or multi-region security visibility, THEN enable services in all regions and configure cross-region aggregation—most security services are regional.
IF the scenario requires tracking configuration changes over time for forensics, THEN AWS Config provides configuration timeline—GuardDuty does not record configurations.
Summary #
Security monitoring in AWS requires understanding the distinct purposes of each service and how they work together. GuardDuty detects threats through behavior analysis, Config ensures compliance through configuration evaluation, and Security Hub aggregates findings for centralized visibility. SAP-C02 tests your ability to select the right service for each requirement and design comprehensive security architectures that address both threat detection and compliance monitoring.
The key to success is recognizing that these services complement rather than replace each other. A well-architected security monitoring solution typically includes:
- GuardDuty for continuous threat detection
- AWS Config for compliance monitoring and configuration tracking
- Security Hub for finding aggregation and security scoring
- CloudTrail for audit logging and forensics
- Detective for incident investigation when needed
Understanding these relationships and the specific capabilities of each service will enable you to quickly identify correct answers in security monitoring scenarios on the SAP-C02 exam.