AWS Security Services Study Guide: Cognito, GuardDuty, and Macie

This guide covers the core security services required for the AWS Certified Solutions Architect - Associate (SAA-C03) exam, focusing on identity management, threat detection, and data privacy.

Learning Objectives

After studying this guide, you should be able to:

Differentiate between AWS Cognito User Pools and Identity Pools.
Explain how Amazon GuardDuty identifies threats using managed rule sets and machine learning.
Describe the role of Amazon Macie in discovering and protecting sensitive data in S3.
Identify appropriate use cases for AWS Security Hub as a central security dashboard.

Key Terms & Glossary

PII (Personally Identifiable Information): Information that can be used to identify a specific individual (e.g., SSN, email, passport number).
Authentication (AuthN): The process of verifying who a user is (handled by User Pools).
Authorization (AuthZ): The process of verifying what a user has access to (handled by Identity Pools).
Threat Intelligence: A collection of known malicious IP addresses and domains used by GuardDuty to spot attacks.
Findings: The actionable security alerts generated by services like Macie and GuardDuty.

The "Big Idea"

AWS follows a Defense in Depth strategy. While network security (VPCs, WAF) protects the perimeter, services like Cognito manage the "front door" (identity), GuardDuty acts as a "security camera" (behavioral monitoring), and Macie acts as a "vault auditor" (inspecting the actual data for sensitivity). Together, they ensure that even if one layer is bypassed, the system can detect and respond to threats automatically.

Formula / Concept Box

Service	Primary Function	Key Input/Source	Output/Action
Cognito	User Identity & Access	Web/Mobile App Users	JWT Tokens / Temporary IAM Credentials
GuardDuty	Threat Detection	VPC Flow Logs, CloudTrail, DNS Logs	Findings (Sent to EventBridge/Security Hub)
Macie	Data Privacy (S3)	S3 Buckets	PII Discovery & Sensitivity Classification
Security Hub	Security Aggregator	GuardDuty, Macie, Inspector, IAM	Unified Dashboard & Compliance Scores

Hierarchical Outline

Identity Management: AWS Cognito
- User Pools: Directories that provide sign-up and sign-up options for app users.
- Identity Pools: Provide temporary AWS credentials to users (even unauthenticated ones).
Intelligent Threat Detection: Amazon GuardDuty
- Log Analysis: Continuously monitors CloudTrail, VPC Flow Logs, and DNS logs.
- Malware Protection: Can scan EBS volumes attached to EC2 instances when suspicious activity is detected.
Data Security & Privacy: Amazon Macie
- S3 Focused: Automatically discovers and classifies sensitive data (PII, IP).
- Security Posture: Alerts if S3 buckets are public or lack encryption.

Visual Anchors

Cognito Authentication Flow

Loading Diagram...

GuardDuty Data Sources

\begin{tikzpicture}[node distance=2cm] \node (gd) [draw, rectangle, fill=blue!10, minimum width=3cm, minimum height=1.5cm] {\textbf{Amazon GuardDuty}}; \node (ct) [draw, rounded corners, left of=gd, xshift=-2cm, yshift=1cm] {AWS CloudTrail}; \node (vpc) [draw, rounded corners, left of=gd, xshift=-2cm] {VPC Flow Logs}; \node (dns) [draw, rounded corners, left of=gd, xshift=-2cm, yshift=-1cm] {DNS Query Logs}; \node (sec) [draw, rectangle, fill=green!10, right of=gd, xshift=2cm] {Security Hub};

code

\draw[->, thick] (ct) -- (gd);
\draw[->, thick] (vpc) -- (gd);
\draw[->, thick] (dns) -- (gd);
\draw[->, thick] (gd) -- node[above] {Findings} (sec);

\end{tikzpicture}

Definition-Example Pairs

Cognito User Pool
- Definition: A user directory that handles registration, authentication, and account recovery.
- Example: A fitness app where users create an account with an email and password to log their workouts.
Amazon GuardDuty Findings
- Definition: Prioritized security alerts indicating a potential issue (Low, Medium, High severity).
- Example: A finding titled UnauthorizedAccess:EC2/MaliciousIPCaller.Custom indicating an EC2 instance is communicating with a known Bitcoin mining IP.
Macie Managed Data Identifiers
- Definition: Predefined criteria used to detect sensitive data like credit card numbers or medical records.
- Example: Macie scanning a .csv file in S3 and flagging it because it contains 500 rows of 16-digit numbers matching credit card patterns.

Worked Examples

Scenario 1: Developing a Public Facing Application

Question: A company is building a mobile app. They want users to sign in using their Google or Facebook accounts and then upload photos directly to a private S3 bucket. Which services are needed? Solution:

Cognito User Pool to handle the social identity provider integration (Google/Facebook).
Cognito Identity Pool to exchange the successful login token for temporary IAM credentials that allow s3:PutObject access to a specific folder in the bucket.

Scenario 2: Compliance for Financial Data

Question: A financial firm stores thousands of PDF documents in S3. They must ensure no Social Security Numbers are stored in unencrypted buckets. How can they automate this? Solution: Enable Amazon Macie. Macie will scan the S3 buckets to identify PII (SSNs) and simultaneously monitor the bucket's security settings (alerting if encryption is disabled or the bucket is made public).

Checkpoint Questions

What is the main difference between a Cognito User Pool and an Identity Pool?
Which three AWS log types does GuardDuty analyze by default to detect threats?
True or False: Amazon Macie can be used to scan data stored in Amazon RDS databases.
How does GuardDuty handle EBS volumes during a malware infection?

▶Click to see answers

User Pools are for Authentication (identity/login); Identity Pools are for Authorization (providing AWS credentials).
CloudTrail Logs, VPC Flow Logs, and DNS Query Logs.
False. Macie is currently focused exclusively on Amazon S3.
It creates a replica snapshot of the affected EBS volume to scan for malware without impacting the production workload.