Security Monitoring and Detection

Explore how to design an enterprise-wide AWS security monitoring architecture that centralizes audit logs, enables real-time threat detection using GuardDuty, and aggregates findings with Security Hub. Understand cross-account automation with EventBridge and Lambda to streamline incident response across multi-account environments.

We'll cover the following...

Centralized security monitoring architecture
CloudTrail organization trails and Athena analysis
- Organization trail configuration
- Querying with Amazon Athena
GuardDuty for threat detection
- How GuardDuty analyzes data
- Delegated administration and regional coverage
Security Hub for findings aggregation
- Cross-account and cross-region aggregation
Cross-account alerting and response
- EventBridge-driven automation
- Automated remediation patterns
Conclusion

Enterprise AWS environments spanning dozens of accounts and multiple Regions generate an enormous volume of security-relevant data, from API calls and network flows to configuration changes and authentication events. Without a deliberate centralization strategy, security teams face fragmented visibility, inconsistent detection coverage, and slow incident response. The SAP-C02 exam tests your ability to design organization-wide security monitoring architectures that balance durable log retention, real-time threat detection, and unified findings aggregation while minimizing operational overhead. This lesson walks through the architectural components, data flows, and trade-offs that define the AWS-preferred pattern for centralized security monitoring at scale.

Centralized security monitoring architecture

Fragmented, per-account monitoring is the primary antipattern the exam targets. When each account maintains its own CloudTrail trail, its own GuardDuty configuration, and its own alerting pipeline, the security team must context-switch across dozens of consoles, reconcile inconsistent retention policies, and maintain bespoke IAM trust relationships. This approach collapses under the weight of a growing organization.

The AWS-preferred architecture relies on several foundational components working in concert:

AWS Organizations provides the governance backbone, enabling organization-wide service enablement and delegated administrationa pattern where a designated member account (not the management account) assumes administrative control of a security service across all organization members, reducing blast radius while centralizing operations.
A dedicated Log Archive account receives all CloudTrail logs in a centralized S3 bucket, serving as the durable, immutable audit record queried by Amazon Athena.
A dedicated Security account hosts the GuardDuty delegated administrator and the Security Hub aggregator, providing the operational console for threat detection and findings triage.
Member accounts (production, development, staging) generate security telemetry but do not independently manage detection or alerting infrastructure.

A critical architectural distinction separates where data is centralized from where detection runs. CloudTrail logs flow to a centralized S3 bucket for long-term retention and forensic analysis. GuardDuty, however, runs detection locally in each account and Region, then aggregates findings to the Security account. This avoids the cost and latency of shipping raw data centrally for detection while still providing a unified findings view. Security Hub then normalizes and consolidates findings from GuardDuty, Inspector, Macie, and Config into a single operational dashboard.

Note: The SAP-C02 consistently favors Organizations-based delegated administration over manual IAM trust chains. If an answer option involves custom cross-account roles for security service management, it is almost certainly a distractor.

...