Advanced Security Services and Threat Detection

Explore how to design advanced threat detection architectures on AWS using Amazon Macie, Inspector, Detective, and CloudHSM. Understand their distinct roles in sensitive data discovery, vulnerability assessment, forensic investigations, and cryptographic control. Learn to integrate these services through Security Hub and EventBridge for centralized, automated security operations across multi-account environments.

We'll cover the following...

Sensitive data discovery with Amazon Macie
Vulnerability assessment with Amazon Inspector
- How Inspector scans compute workloads
  - Multi-account enablement and findings aggregation
Forensic investigation with Amazon Detective
- Investigation workflow and exam relevance
Dedicated cryptographic control with AWS CloudHSM
- When CloudHSM is the right choice
  - Custom key stores as a bridge
Integrated threat detection architecture
- Centralized findings and automated remediation
Conclusion

Enterprise workloads distributed across dozens of AWS accounts generate security signals from multiple surfaces simultaneously: S3 buckets accumulating sensitive data, EC2 instances drifting from patch baselines, and user-activity patterns that reveal malicious intent only when correlated over time. Preventive controls such as IAM policies, security groups, and SCPs establish boundaries, but they cannot tell you what sensitive data already exists in your environment, which instances have unpatched CVEs, or how an attacker pivoted between resources after an initial compromise. Addressing these gaps requires a layered detection architecture built from purpose-specific services, each operating in a distinct security domain while feeding normalized findings into a centralized aggregation plane.

This lesson examines how Amazon Macie, Amazon Inspector, Amazon Detective, and AWS CloudHSM fulfill complementary roles and how they integrate through AWS Organizations delegated administration, Security Hub, and EventBridge-driven automation to form a cohesive threat detection and response strategy aligned with SAP-C02 architectural expectations.

The following diagram illustrates how these services operate within a multi-account Organizations structure, with findings flowing to a centralized security account.

Use a delegated administratorAn AWS Organizations pattern that allows a member account to manage an AWS service on behalf of the entire organization without granting access to the management account’s billing or root-level controls.. This pattern keeps the management account minimal while enabling centralized security operations.

Sensitive data discovery with Amazon Macie

Amazon Macie uses machine learning classifiers and pattern-matching rules to scan Amazon S3 objects and identify sensitive data, including personally identifiable information (PII), financial records, API credentials, and custom data identifiers defined by the organization. Macie operates at the bucket level, running scheduled or one-time classification jobs that sample or fully scan objects across selected accounts. When enabled through a delegated administrator, Macie can inventory every S3 bucket across an entire organization, providing a centralized view of where sensitive data resides.

Macie does not enforce access controls or encryption. It is purely a detective control that answers the question, “What sensitive data do we have, and where is it?” Architects must pair Macie findings with preventive mechanisms such as S3 bucket policies, KMS encryption, and S3 Block Public Access settings. Macie findings flow into Security Hub, where EventBridge rules can trigger automated responses, such as invoking a Lambda function that ...