AWS Security Services & Resources

AWS security services and resources are the managed building blocks that AWS provides so customers can detect threats, find vulnerabilities, protect data, control network traffic, and manage encryption keys without operating those tools themselves. On the CLF-C02 exam, Task 2.4 tests whether you can pick the right AWS security service for a described scenario — threat detection goes to GuardDuty, vulnerability scanning goes to Inspector, sensitive data discovery in S3 goes to Macie, DDoS goes to Shield, web exploits go to WAF, and cross-service aggregation goes to Security Hub.

This page walks you through every AWS security service in the CLF-C02 blueprint, explains the top three-way trap (GuardDuty vs Inspector vs Macie), and drills in the must-memorise facts you will see on the exam. By the end you will be able to read a scenario, spot the object being protected, and match the correct AWS security service in under ten seconds.

What Are AWS Security Services & Resources?

AWS security services are the family of managed tools that protect workloads running on AWS across six pillars: threat detection, vulnerability assessment, data classification, network protection, identity and secrets, and centralised aggregation. Each AWS security service targets a specific object — a log stream, an EC2 instance, an S3 bucket, a web request, a key, or a secret — and the CLF-C02 exam almost always cues you by naming that object in the scenario.

The Cloud Practitioner exam does not expect you to configure these AWS security services. It expects you to recognise which AWS security service solves which problem, and to avoid the classic traps between GuardDuty, Inspector, and Macie. Because Domain 2 now accounts for 30% of the exam (up from 25% in CLF-C01), mastery of AWS security services carries more weight per hour studied than almost any other topic.

Where AWS Security Services Fit in the Shared Responsibility Model

Every AWS security service lives on the "security IN the cloud" side of the Shared Responsibility Model — AWS provides the tool, you choose whether to turn it on and how to act on the findings. GuardDuty, Inspector, and Macie will not run by default. You must enable them at the account level, and on an AWS Organizations master account you can enable AWS security services across all member accounts at once.

Why the CLF-C02 Exam Loves AWS Security Services Questions

Explorer research on 20 community sources shows "Security Service Selection by Use Case" is the highest-frequency exam signal (95 mentions, +18% trend). Candidates also report that GuardDuty vs Inspector vs Macie confusion is the single most-cited trap in Domain 2. That makes AWS security services the highest return-on-study topic in the entire exam.

Plain-Language Explanation: AWS Security Services

Think of your AWS account as a hotel. AWS security services are the different specialists the hotel hires to keep guests safe. Each specialist watches a different thing, and the CLF-C02 exam wants you to know which specialist to call.

Analogy 1 — The Hotel Security Team (Kitchen / Hospitality Analogy)

Imagine a five-star hotel. GuardDuty is the CCTV team that watches every hallway and flags unusual behaviour — a guest trying the same door fifty times, or a stranger carrying out a TV set. It does not inspect the rooms themselves; it watches movement (CloudTrail API calls, VPC Flow Logs, DNS logs). Inspector is the maintenance inspector who goes into each room (each EC2 instance or container image) and checks that the locks, smoke alarms, and plumbing meet code — that is vulnerability assessment. Macie is the safe-deposit-box auditor who opens every safe (every S3 bucket) and makes sure no passport photocopies or credit-card numbers are lying around where a cleaner could see them.

Continue the analogy: Detective is the forensics investigator who shows up after an incident and reconstructs who-did-what-when by pulling tapes from every camera on the property. Security Hub is the security director's office wall with dashboards fed by every specialist — one pane of glass. Shield is the bouncer who handles the mob trying to rush the entrance (L3/L4 DDoS). WAF is the receptionist who reads each visitor's entry form for anything suspicious (L7 web requests). KMS is the master-key cabinet. Secrets Manager is the concierge who remembers room keys for staff and rotates them every shift.

Analogy 2 — The Open-Book Exam Desk (Exam Analogy)

Picture a proctored open-book exam, which is a great way to think about AWS security services because most of them work by reading something you already have. GuardDuty reads your existing CloudTrail, VPC Flow, and DNS logs — you did not write new logs for GuardDuty; it is an intelligent reader of notes you already have. Inspector reads your running EC2 and container images the way a proctor reads your answer sheet against a scoring rubric (the CVE database) to find wrong answers (vulnerabilities). Macie reads your S3 objects the way a proctor scans for forbidden materials — it is pattern matching against PII rules. Detective reads the aggregated findings from GuardDuty and CloudTrail to reconstruct the exam timeline. The lesson: AWS security services are readers. You do not write a single log for them. You enable them, and they read what you already have.

Analogy 3 — The Electrical Grid (Infrastructure Analogy)

Imagine your workload as a city, and AWS security services as the utilities that keep it safe. Shield is the lightning rod and surge protector on every substation — it absorbs massive electrical surges (L3/L4 volumetric attacks) before they reach your building. WAF is the breaker panel inside your building that trips when a specific circuit pulls a bad pattern (L7 SQL injection, XSS). KMS is the key infrastructure for every locked panel in the city — you hand out keys, KMS tracks who used which key. CloudHSM is a vault-grade key room for the government buildings in the city that must meet stricter regulations. Secrets Manager is the rotating master-key service used by staff to open secure rooms — it changes the keys automatically on a schedule. GuardDuty is the grid-monitoring station spotting unusual load patterns (a single substation pulling 100x normal current = probable crypto-miner). Together these AWS security services form defence in depth: perimeter (Shield/WAF), identity (IAM), monitoring (GuardDuty), response (Detective), and key custody (KMS/Secrets Manager).

Core Operating Principles — Defense in Depth with AWS Security Services

AWS security services are deliberately layered. No single AWS security service covers all threats — the exam tests whether you understand the layering.

Layer 1 — Edge Protection (Shield + WAF)

At the edge of your architecture, AWS Shield stops L3/L4 DDoS floods, and AWS WAF inspects L7 HTTP/HTTPS requests for malicious patterns. Shield Standard is free and automatic; Shield Advanced adds 24/7 DDoS response team and cost protection. WAF attaches to CloudFront, ALB, API Gateway, and AppSync.

Layer 2 — Network Controls (Security Groups + NACLs)

Inside the VPC, Security Groups act as stateful instance-level firewalls, while NACLs act as stateless subnet-level firewalls. These are covered in the network-services topic but pair with AWS security services at the edge.

Layer 3 — Threat Detection (GuardDuty + Detective)

GuardDuty continuously analyses CloudTrail, VPC Flow Logs, and DNS logs for known bad patterns. Detective visualises the relationships between those findings for root-cause analysis.

Layer 4 — Vulnerability and Data (Inspector + Macie)

Inspector scans EC2 instances, Lambda functions, and container images for CVEs. Macie scans S3 for sensitive data (PII, PHI, credentials) using machine learning.

Layer 5 — Identity and Keys (IAM, KMS, CloudHSM, Secrets Manager, Parameter Store)

IAM controls who can do what. KMS manages encryption keys at massive scale. CloudHSM gives you dedicated hardware key modules for regulated workloads. Secrets Manager rotates secrets. Parameter Store holds configuration values.

Layer 6 — Aggregation (Security Hub)

Security Hub pulls findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, and AWS Config into a single pane of glass with CSPM-style compliance scoring.

Amazon GuardDuty — Threat Detection for CloudTrail, VPC Flow, and DNS

Amazon GuardDuty is a continuous, machine-learning-based threat detection AWS security service. It ingests three data sources without any agents: CloudTrail management and data events, VPC Flow Logs, and Route 53 DNS query logs. GuardDuty correlates these sources against AWS threat intelligence feeds and ML models, producing findings like "recon:IAMUser/MaliciousIPCaller" or "CryptoCurrency:EC2/BitcoinTool.B".

What GuardDuty Finds

GuardDuty is purpose-built for threat detection, not vulnerability assessment. Typical findings include compromised credentials being used from anomalous geography, EC2 instances suddenly connecting to known crypto-mining pools, reconnaissance patterns against APIs, and data exfiltration to unusual destinations. If the scenario mentions "unusual API activity" or "compromised account" or "crypto-mining," the answer is GuardDuty.

How GuardDuty Is Priced

GuardDuty charges by CloudTrail events analysed and VPC Flow/DNS log volume. A 30-day free trial lets you evaluate before committing. In an AWS Organizations setup, you enable GuardDuty across all accounts from the delegated administrator.

Key GuardDuty Facts to Memorise

Data sources = CloudTrail + VPC Flow Logs + DNS logs. No agents required. Region-specific — you must enable GuardDuty in each region. Findings flow natively into Security Hub and EventBridge for automation.

Amazon Inspector — Vulnerability Assessment for EC2, Lambda, and Containers

Amazon Inspector is an automated vulnerability assessment AWS security service. It continuously scans EC2 instances, container images in Amazon ECR, and Lambda functions for known CVEs and unintended network exposure. Inspector reads package inventories via Systems Manager agents on EC2 and matches them against the public CVE database.

What Inspector Finds

Inspector finds software vulnerabilities — outdated OpenSSL, log4shell-vulnerable Java libraries, a missing kernel patch. It does not watch for live threats. It answers the question, "If an attacker showed up, what would be exploitable?"

Inspector vs the Legacy Inspector Classic

Classic Inspector required you to build assessment templates and schedule scans. Inspector (v2) is always-on, automatically triggered when a new EC2 instance launches or a container image is pushed to ECR. For the exam, assume Inspector means continuous, automated CVE scanning.

Key Inspector Facts to Memorise

Targets = EC2, ECR container images, Lambda. Uses Systems Manager agent on EC2. Outputs a risk-scored finding per vulnerability. Findings flow to Security Hub and EventBridge. Not for threat detection — that is GuardDuty.

Amazon Macie — Sensitive Data Discovery for Amazon S3

Amazon Macie is a data security and data privacy AWS security service that uses machine learning and pattern matching to discover and protect sensitive data in Amazon S3. Macie identifies PII (names, addresses, SSNs), PHI, credentials (API keys, tokens), and financial data (credit card numbers, bank account numbers).

What Macie Finds

Macie scans S3 objects and buckets, producing findings like "Sensitive data discovered: 3 objects contain credit card numbers" or "Bucket publicly readable and contains PII." Macie also evaluates bucket-level security posture (public-access status, encryption settings, replication to external accounts).

When to Use Macie

The exam cue is "S3" plus "sensitive data" or "PII" or "compliance scan." If the scenario says "find credit cards in S3" or "classify data in S3," the answer is Macie. If the scenario says "find CVEs," the answer is Inspector. If the scenario says "unusual activity," the answer is GuardDuty.

Key Macie Facts to Memorise

Only works against Amazon S3 — Macie does not scan EC2 filesystems, RDS databases, or EFS. Uses managed data identifiers (default) plus custom identifiers (your regex). Findings integrate with Security Hub and EventBridge.

Amazon Detective — Incident Investigation and Root-Cause Analysis

Amazon Detective is the investigation AWS security service. It ingests data from GuardDuty, CloudTrail, and VPC Flow Logs and builds an interactive graph of resource relationships, network behaviour, and identity actions over time. When a GuardDuty finding fires, Detective lets you click through and see every API call, every network flow, and every IAM principal involved during the incident window.

Detective vs GuardDuty

GuardDuty says, "Something bad happened at 02:14 UTC." Detective answers, "Here is the full graph of what led up to that, what happened after, and which other resources are implicated." Detective does not generate findings of its own — it visualises findings from GuardDuty. On the exam, if the scenario asks for "investigate" or "root cause" or "which user was involved," the answer is Detective.

Key Detective Facts to Memorise

Depends on GuardDuty being enabled. Does not replace SIEM solutions but provides AWS-native incident graph. Best paired with Security Hub for end-to-end detect-investigate-aggregate workflow.

AWS Shield — DDoS Mitigation at L3/L4

AWS Shield is the DDoS protection AWS security service. It comes in two tiers.

Shield Standard — Free, Always-On

Shield Standard is automatically enabled for every AWS customer at no extra cost. It protects against the most common network-layer and transport-layer DDoS attacks (SYN floods, UDP reflection) for all AWS resources, with particular optimisation for CloudFront, Route 53, and Global Accelerator.

Shield Advanced — Paid, Enterprise-Grade

Shield Advanced costs US$3,000 per month per organisation plus data-transfer fees and adds: 24/7 access to the AWS Shield Response Team (SRT), enhanced detection of application-layer attacks, cost protection (AWS refunds scaling-related fees during a DDoS event), and integration with WAF at no additional WAF cost.

Key Shield Facts to Memorise

Standard = free, L3/L4, automatic. Advanced = US$3,000/month, L3/L4/L7 response team, cost protection. Works at the edge (CloudFront, Route 53, ALB, EC2 Elastic IP, Global Accelerator).

AWS WAF — Layer 7 Web Application Firewall

AWS WAF is a web application firewall AWS security service operating at L7. It inspects HTTP/HTTPS requests and blocks based on rules you define (SQL injection, XSS, geographic IP, rate limiting) or on AWS Managed Rules subscribed from AWS Marketplace.

Where WAF Attaches

WAF attaches to four AWS services only: Amazon CloudFront, Application Load Balancer, Amazon API Gateway, and AWS AppSync. WAF does not attach to EC2 directly, NLB, or ECS tasks.

WAF Rule Types

You can write custom rules, use AWS Managed Rule Groups (OWASP Top 10, bots, known bad inputs), or subscribe to third-party managed rules via AWS Marketplace. Rate-based rules let you automatically block an IP exceeding N requests per 5 minutes.

Shield vs WAF — the Classic Pair

Shield handles L3/L4 volumetric DDoS. WAF handles L7 application-layer exploits and bot control. They often work together: Shield absorbs the flood; WAF blocks the individual bad request signatures. Shield Advanced includes unlimited WAF usage at no additional charge.

AWS Security Hub — Aggregation and CSPM Scoring

AWS Security Hub is the aggregation AWS security service. It ingests findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, AWS Firewall Manager, AWS Config, and third-party AWS Marketplace tools into one normalised format (AWS Security Finding Format, ASFF). Security Hub also runs compliance standards (AWS Foundational Security Best Practices, CIS AWS Foundations Benchmark, PCI DSS) against your accounts and produces a compliance score.

Why Security Hub Matters for the Exam

When a scenario says "central dashboard," "single pane of glass," "aggregate findings across GuardDuty and Inspector," or "CIS compliance score," the answer is Security Hub. Candidates sometimes confuse Security Hub with GuardDuty because both show findings; remember that GuardDuty only shows threat-detection findings, while Security Hub shows all AWS security service findings and compliance scores.

Key Security Hub Facts to Memorise

Enable per region. Integrates natively with AWS Organizations. Findings normalised to ASFF. Runs automated compliance standards (CIS, PCI DSS, FSBP).

AWS KMS and AWS CloudHSM — Encryption Key Management

AWS KMS (Key Management Service)

AWS KMS is the default managed encryption key AWS security service. KMS issues and manages symmetric and asymmetric keys with FIPS 140-2 Level 3 backing. Every AWS service that offers encryption (S3, EBS, RDS, DynamoDB, Lambda environment variables) integrates with KMS. You pay per key per month and per API call.

AWS CloudHSM

CloudHSM provides dedicated single-tenant hardware security modules for customers who need FIPS 140-2 Level 3 single-tenant isolation (regulated industries, payment processing). CloudHSM is more expensive and more operational than KMS — you manage the cluster.

KMS vs CloudHSM for the Exam

Default choice = KMS. Regulated or compliance-required dedicated HSM = CloudHSM. Cross-region replication of keys = KMS Multi-Region Keys.

AWS Secrets Manager vs Systems Manager Parameter Store

Both AWS security services store configuration values, but only one is a true secrets management service.

AWS Secrets Manager

Secrets Manager is purpose-built for secrets like database passwords, API keys, OAuth tokens. It supports automatic rotation with Lambda functions for RDS, Redshift, and DocumentDB. Priced per secret per month plus API calls. Best when you need rotation.

AWS Systems Manager Parameter Store

Parameter Store holds configuration parameters and can hold secrets too. Standard parameters are free; advanced parameters cost per parameter. Parameter Store does not natively rotate secrets. Best when you need low-cost config and do not need automatic rotation.

When to Choose Which

Database password that must rotate every 30 days → Secrets Manager. Feature flag or environment-specific config string → Parameter Store. If the scenario says "rotation," the answer is always Secrets Manager.

Supporting Services — ACM, Cognito, Firewall Manager, Network Firewall

AWS Certificate Manager (ACM)

ACM issues and manages free public TLS certificates for use with CloudFront, ALB, API Gateway, and Elastic Beanstalk. Private CA functionality exists for internal PKI but is billed separately.

Amazon Cognito

Cognito provides user identity and authentication for web and mobile apps — user pools (sign-up/sign-in) and identity pools (federated access to AWS). Not in the same tier as IAM; Cognito is for application users, IAM is for AWS principals.

AWS Firewall Manager

Firewall Manager centrally manages WAF rules, Shield Advanced, Security Groups, and Network Firewall policies across an AWS Organization.

AWS Network Firewall

Network Firewall is a managed stateful L3-L7 firewall at VPC level. Think of it as a managed IDS/IPS appliance for traffic between VPCs or to the internet.

Security Services vs Governance Services — Scope Boundary

AWS security services (Task 2.4) detect, block, and classify. Governance services (Task 2.2) document, audit, and control policy.

What Belongs in Task 2.4 (Security Services)

GuardDuty, Inspector, Macie, Detective, Shield, WAF, Security Hub, KMS, CloudHSM, Secrets Manager, ACM, Cognito, Firewall Manager, Network Firewall.

What Belongs in Task 2.2 (Governance and Compliance)

AWS Config (configuration recording), AWS Organizations (account structure and SCPs), AWS Control Tower (landing zone), AWS Artifact (compliance reports), AWS Audit Manager (audit workflow), CloudTrail (API audit log), CloudWatch (operational monitoring).

The exam sometimes crosses the line deliberately — questions that mention CloudTrail or Config show up in security scenarios. Remember the rule: if the tool detects or blocks, it is a security service. If the tool records or audits, it is a governance service.

Common Exam Traps — Where Candidates Lose Points

Trap 1 — GuardDuty for EC2 CVEs

Wrong. GuardDuty detects threats by reading logs. It does not scan an EC2 instance for software vulnerabilities. For CVE scanning, you need Inspector.

Trap 2 — Macie for Non-S3 Data

Wrong. Macie only scans Amazon S3. Macie does not scan EFS, EC2 filesystems, DynamoDB, or RDS.

Trap 3 — WAF for L3/L4 DDoS

Wrong. WAF is L7 only. Volumetric L3/L4 DDoS is Shield territory.

Trap 4 — Security Hub Generates Findings

Wrong. Security Hub is an aggregator. It imports findings from GuardDuty, Inspector, Macie, and others — it does not create its own threat findings (it does create compliance-check findings, but exam convention treats Security Hub as the aggregation layer).

Trap 5 — Secrets Manager vs Parameter Store for Rotation

Parameter Store does not natively rotate secrets. If the scenario mentions automatic rotation, pick Secrets Manager.

Key Numbers and Must-Memorize Facts for AWS Security Services

This is the memorisation block. Expect exam questions that hinge on exactly these numbers.

GuardDuty Facts

Three data sources: CloudTrail, VPC Flow Logs, DNS logs. No agents. 30-day free trial. Region-specific.

Inspector Facts

Three targets: EC2, ECR images, Lambda. Uses Systems Manager agent on EC2. Continuous automated scanning.

Macie Facts

One target: Amazon S3. Uses managed and custom data identifiers. 30-day free trial.

Shield Facts

Standard = free, automatic. Advanced = US$3,000 per month per organisation plus data transfer.

WAF Facts

Attaches to CloudFront, ALB, API Gateway, AppSync. Not to NLB or EC2 directly.

Security Hub Facts

Normalises to AWS Security Finding Format (ASFF). Runs CIS, PCI DSS, and Foundational Security Best Practices.

KMS and Secrets Manager Facts

KMS = FIPS 140-2 Level 3 multi-tenant. CloudHSM = FIPS 140-2 Level 3 single-tenant. Secrets Manager rotates via Lambda; Parameter Store does not natively rotate.

AWS Security Services vs Related Concepts — Comparison Table

To cement the differentiation, read this comparison aloud.

Threat vs Vulnerability vs Data

GuardDuty = threat. Inspector = vulnerability. Macie = data. Memorise the object.

Logs vs Machines vs Buckets

GuardDuty watches logs. Inspector scans machines. Macie scans buckets. Different object, different AWS security service.

Edge L4 vs Edge L7

Shield = L3/L4 DDoS. WAF = L7 exploits. Different layer, different AWS security service.

Aggregator vs Investigator

Security Hub = aggregator (many findings, one pane). Detective = investigator (one incident, full graph).

Default Key vs Dedicated HSM

KMS = default managed keys. CloudHSM = dedicated single-tenant hardware. Pick KMS unless compliance requires CloudHSM.

Secrets vs Parameters

Secrets Manager = rotation. Parameter Store = low-cost config. Pick Secrets Manager when rotation is required.

Practice Question Links — Task 2.4 Mapped Exercises

When you are ready for practice, filter the CLF-C02 question bank by topic_slug=security-services-resources. Focus drills should cover:

Drill Set 1 — Three-Way Selection

10 questions forcing you to pick GuardDuty, Inspector, or Macie from ambiguous scenarios. Target 90%+ accuracy before sitting the exam.

Drill Set 2 — Edge Protection

5 questions on Shield Standard vs Shield Advanced vs WAF attachment points. Focus on which AWS security service attaches to which resource.

Drill Set 3 — Aggregation and Investigation

5 questions on Security Hub vs Detective. Memorise the aggregator-vs-investigator split.

Drill Set 4 — Encryption and Secrets

5 questions on KMS vs CloudHSM and Secrets Manager vs Parameter Store. These are the two most consistent AWS security service pairings in Domain 2.

FAQ — AWS Security Services Top Questions

Q1 — Do I need to enable GuardDuty, Inspector, and Macie separately, or does one turn them all on?

You must enable each AWS security service separately, in each region where you want coverage. AWS Organizations helps — you can enable GuardDuty, Inspector, and Macie across every member account from a delegated administrator account, but the decision is per service, per region.

Q2 — If I have Security Hub, do I still need GuardDuty?

Yes. Security Hub is the aggregator and does not generate its own threat-detection findings. Without GuardDuty, Security Hub has no threat data to aggregate. The standard architecture is GuardDuty + Inspector + Macie + Security Hub.

Q3 — Which AWS security services are free?

Shield Standard is always free. Trusted Advisor core checks are free. Most other AWS security services (GuardDuty, Inspector, Macie, Security Hub, WAF, Shield Advanced, KMS custom keys, Secrets Manager, CloudHSM) cost money, though GuardDuty, Inspector, and Macie each offer a 30-day free trial when first enabled.

Q4 — Macie only works with S3 — so how do I scan sensitive data in RDS or EFS?

Macie is S3-only. For RDS, you rely on database-level auditing (RDS enhanced monitoring, database activity streams) plus CloudTrail. For EFS, there is no AWS-native PII scanner — you use third-party tools or copy data to S3 for Macie to scan. The exam will not deep-dive this, but remember: Macie = S3 only.

Q5 — What is the difference between Shield Standard and Shield Advanced on the exam?

Standard = free, automatic, L3/L4, common attacks. Advanced = US$3,000/month per organisation, 24/7 Shield Response Team, cost protection, unlimited WAF, and L7 attack support. Scenario cue: "cost protection during a DDoS" = Shield Advanced.

Q6 — When do I choose CloudHSM over KMS?

Default is always KMS. Choose CloudHSM only when compliance (FIPS 140-2 Level 3 single-tenant, certain financial or government workloads) explicitly requires dedicated hardware modules. CloudHSM is more expensive and operationally heavier — you manage the cluster.

Q7 — AWS Config vs Security Hub — which one do I pick?

Config records configuration changes of AWS resources over time (governance). Security Hub aggregates security findings and compliance scores (security). They integrate: Security Hub consumes Config conformance pack findings. On the exam, if the question says "track configuration changes," pick Config. If the question says "centralise security findings," pick Security Hub.

Q8 — Can I use AWS WAF with any Load Balancer?

No. WAF attaches to Application Load Balancer (ALB), CloudFront, API Gateway, and AppSync only. Network Load Balancer (NLB) does not support WAF because NLB operates at L4 and WAF needs L7 request content.

Further Reading — Official AWS Documentation for Security Services

For depth beyond CLF-C02 scope, the following AWS security service guides are the authoritative sources: GuardDuty User Guide, Inspector User Guide, Macie User Guide, Detective User Guide, Shield Developer Guide, WAF Developer Guide, Security Hub User Guide, KMS Developer Guide, Secrets Manager User Guide. Bookmark these but do not try to read them end-to-end — for CLF-C02 you only need the "What is ..." and "Use cases" pages for each AWS security service.

The AWS Security Blog (aws.amazon.com/blogs/security) publishes weekly deep-dives that accelerate understanding of how these AWS security services work together. The AWS Well-Architected Security Pillar whitepaper anchors the best-practice thinking behind the entire Domain 2 — mandatory reading.

Summary — AWS Security Services Cheat Sheet

On exam day, when you see a security scenario, run this decision path in your head:

1. What object is in the scenario? Log, machine, bucket, request, key, secret, or finding?
2. Logs (CloudTrail, VPC Flow, DNS) → GuardDuty.
3. Machines (EC2, Lambda, container image) → Inspector.
4. Buckets (S3 with PII) → Macie.
5. Request (HTTP/HTTPS, L7) → WAF.
6. Flood (L3/L4 volumetric) → Shield.
7. Finding aggregation → Security Hub. Incident graph → Detective.
8. Encryption key → KMS (default) or CloudHSM (regulated).
9. Rotating secret → Secrets Manager. Static config → Parameter Store.

Master these nine branches and you will answer every AWS security services question on Task 2.4 correctly. AWS security services reward recognition more than reasoning — study the objects, and the right AWS security service will always fall out.