1

My understanding of all three is that they look for patterns in events and logs to determine if there is a potential security flaw. Another question touches upon this but somewhat unsatisfactory. What I got from that reply was:

... GuardDuty is more tilted towards indications of actual compromise whereas insights is more just 'unusual' API activity

Macie: Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.

Cloudtrail Insights: AWS CloudTrail Insights helps AWS users identify and respond to unusual activity associated with write API calls by continuously analyzing CloudTrail management events.

GuardDuty: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3

What is the difference and when should I use what service? Is someone able to do a bit more explanation around the actual differences?

Frankster
  • 653
  • 7
  • 26

1 Answers1

3

My understanding of all three is that they look for patterns in events and logs to determine if there is a potential security flaw
...
What is the difference and when should I use what service?

Every service documentation has its FAQ part, where this is explained.

All three services have different purpose. They look into different input data and produce different alert types, which are not necessarily security flaws, but are to be reviewed and addressed. The services are not overlapping in functionality, so I'm not sure what is confusing for you. I will just list the difference.

Amazon Macie reads your S3 bucket data to identify open and shared S3 buckets and data containing PII.

GuardDuty aggregates "AWS CloudTrail event logs, Amazon VPC Flow Logs and DNS logs" to detect suspicious activity.

Cloudtrail Insights is a new CloudTrail feature. The service generates Insights events when the API calls volume is outside normal patterns.

gusto2
  • 11,210
  • 2
  • 17
  • 36
  • "GuardDuty aggregates CloudTrail...to detect suspicious activity" and "CloudTrail Insights generates events when....outside normal patterns" actually does seem kind of overlapping/synonymous. It's clear that CloudTrail Insights uses call volume to detect suspicious activity, but not clear what mechanism Guard Duty uses to detect suspicious activity in CloudTrail, and whether that includes call volume as a parameter too. – Yann Stoneman Aug 27 '21 at 17:21
  • 1
    @Yann_Stoneman GuardDuty had a defined [list of findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) using ML and aws claims the model is updated for newer threads. The cloudwatch insights checks the api call volume against an established baseline . – gusto2 Aug 27 '21 at 17:49
  • It seems like GuardDuty is currently limited to a variety of highly specific findings in EC2, IAM, and S3, whereas Insights detects just one thing, unusual call volume, but across all write API events. – Yann Stoneman Aug 27 '21 at 18:15