AWS Security Identification and Monitoring

This curriculum provides a structured overview of the services and practices used to identify, monitor, and remediate security issues within the AWS Cloud environment. It focuses heavily on AWS Trusted Advisor as a central pillar, while also covering proactive threat detection and vulnerability management.

## Prerequisites

Before engaging with this curriculum, students should possess the following foundational knowledge:

AWS Cloud Fundamentals: Understanding of the shared responsibility model.
IAM Basics: Knowledge of users, groups, and the importance of the Root User.
AWS Management Console: Familiarity with navigating the AWS web interface.
Basic Support Plans: Awareness that service availability (especially for Trusted Advisor) varies by support tier (Basic, Developer, Business, Enterprise).

## Module Breakdown

Module	Topic	Difficulty	Key Service focus
1	The Best Practice Advisor	Beginner	AWS Trusted Advisor
2	Automated Vulnerability Scanning	Intermediate	Amazon Inspector
3	Continuous Threat Detection	Intermediate	Amazon GuardDuty
4	Security Aggregation & Compliance	Advanced	AWS Security Hub & Audit Manager
5	Post-Incident Investigation	Advanced	Amazon Detective

Loading Diagram...

## Learning Objectives per Module

Module 1: AWS Trusted Advisor

Identify the five categories of Trusted Advisor checks (Cost, Performance, Security, Fault Tolerance, Service Limits).
Interpret status icons (Green, Orange, Red) to prioritize security remediation.
Understand the limitations of the Free Tier regarding security checks.

Module 2: Proactive Vulnerability Management

Describe how Amazon Inspector automates security assessments for EC2 instances and container images.
Differentiate between network reachability and software vulnerability scans.

Module 3: Intelligent Threat Detection

Explain the role of Amazon GuardDuty in monitoring CloudTrail, VPC Flow Logs, and DNS logs.
Recognize how machine learning identifies anomalies like unauthorized access or compromised instances.

Module 4: The Security Dashboard

Define AWS Security Hub as a central point for aggregating findings from Inspector, GuardDuty, and Macie.

## Success Metrics

To demonstrate mastery of this curriculum, the learner must be able to:

Categorize Findings: Correctly assign a security issue (e.g., an open S3 bucket) to the correct service (Trusted Advisor).
Differentiate Tools: Explain the difference between Detective (investigation) and GuardDuty (detection).
Support Tier Impact: Identify which security checks require a Business or Enterprise support plan.
Remediation Mapping: Suggest the correct tool for a specific business need (e.g., "We need to automate compliance evidence collection" → AWS Audit Manager).

## Real-World Application

[!IMPORTANT] Security tools are "advisors," not absolute blockers. A "Red" alert for a public S3 bucket is critical for private data but expected for a static website.

Enterprise Compliance: Using AWS Audit Manager to prepare for SOC2 or HIPAA audits by automatically collecting evidence from AWS resource configurations.
Incident Response: When a suspicious login is detected by GuardDuty, security analysts use Amazon Detective to visualize the API calls and identify the root cause.
Cost & Security Synergy: Using Trusted Advisor to shut down idle resources (saving money) while simultaneously ensuring all active resources have MFA enabled (securing the account).

## Examples Section

Security Check Scenarios

Service	Real-World Scenario	Example Finding
Trusted Advisor	Checking account-level best practices.	"MFA is not enabled on the Root Account."
Amazon Inspector	Scanning an EC2 instance for software flaws.	"CVE-2023-XXXX found in installed OpenSSL package."
Amazon GuardDuty	Monitoring for malicious network activity.	"EC2 instance is communicating with a known Bitcoin mining IP."
AWS Secrets Manager	Managing sensitive credentials.	"Database password has not been rotated in 90 days."

Visualizing the Security Workflow