As you know, in this digital era, organizations are moving fast towards the cloud. No doubt, cloud has a lot many advantages to offer. However, with that, securing your cloud environment is very important.
Usually, Cloud Service Provider (CSP) enables their customers to use several managed security services to safeguard their environment from potential threats. Which in turn helps them protect or reduce the chances of getting compromised.
Security and AWS
Security in AWS is job 0 or highest priority task. It’s a shared responsibility between AWS and their customer. Security of cloud is AWS responsibility whereas security in the cloud is our responsibility.
Like other cloud service providers, there are wide ranges of security services being offered by Amazon cloud to enhance the security posture of your AWS environment. Feel free to checkout official page of AWS Security Services which will give you an overall idea of what’s there for us in terms of security.
Today, we will discuss here two important security services from AWS that makes your cloud environment more secure and robust.
- Amazon GuardDuty
- Amazon Inspector
GuardDuty is one of my favorite security services among all other AWS managed security services. It is an intelligent threat detection service that continuously monitors your AWS account for unusual activities(malicious) . It is very critical part to identify threats, based on that findings you can setup automated preventive actions or remediation’s.
Let’s see few highlights about GuardDuty –
- It is a regional service – Operates at region level
- It is single click service – no need to install any additional software
- It starts scanning as soon enabled – No historical analysis needed
- It looks for reconnaissance activities, compromised accounts or instances, unusual activities
It continuously monitors your entire AWS account. It is coupled with Machine Learning & log data to discover threats for the anomalous behaviors related to your AWS accounts.
It automatically scan all your logs from following sources and intelligently analyze billions of events, which enables you to automatic remediation to safeguard your AWS account/workloads.
- CloudTrail Mgmt Events
- CloudTrail S3 Data Events
- VPN Flow Logs
- DNS Logs
It is a kind of automated security assessment service that checks the network exposure of your EC2 or latest security state for applications running into your EC2 instance. It has ability to auto discover your AWS workload and continuously scan for the open loophole or vulnerability.
Let’s see few highlights about Inspector :
- Reginal in scope – confined to a single region
- Checks for network exposure for your EC2
- Also checks for the security state for applications running into your EC2 instance
- Optionally you can install Agent to EC2 instances for Agent based scanning
- Scan can be scheduled ad-hoc or periodically to validate configuration drift etc.
To track what are the packages or packages version running under your EC2, you need to install SSM Agent.
Supported scan and Scan rulesets through Inspector
Amazon inspector has flexibility to scan either EC2 instances or ECR container images. It scans for software vulnerabilities or unintended network exposure. Additionally, Inspector uses different types of rulesets to scope the scanning
- Firstly, you can scan for CVE (Common Vulnerability and Exposure)
- Secondly, you can scan against CIS Benchmark
- Thirdly, you can have rule against security best practices
Difference between Amazon GuardDuty vs. Inspector
|Criteria||Amazon GuardDuty||Amazon Inspector|
|Purpose||Monitoring and protecting your AWS accounts using Intelligent threat detection||Provides automated & continuous Vulnerability Management for EC2 and ECR into your AWS account|
|Free Trial||You can use it for 30 days for free||You can use it for 15 days for free of cost|
|Agent Installation||Just need single click to turn on GuardDuty, no such agent installation required||You may need to install Agent into your EC2 to perform agent based scan|
|Use cases||– To understand event details what exactly happening when AWS services running|
– To analyze gathered log during the event of cyber threat events or attack to eliminate if any major risk
|– Checks for Open weaknesses or Security loopholes|
– To analyze if security risks remediated or still open
Which One Should You Choose ?
As we saw, GuardDuty is here to help you protect your AWS account overall whereas Inspector is specifically made for vulnerability management within EC2 or ECR Images.
Therefore, depending on your use case you might choose either of one or both to strengthen the overall security posture of your environment.
A general rule of thumb:-
- Have got EC2 instances and ECR repos? : Use GuardDuty + Inspector
- No EC2/ECR workload ? : Use only GuardDuty
In this post we got to know about Amazon GuardDuty and Amazon Inspector and we also did a comparison as Amazon GuardDuty vs Inspector.
We learnt that Amazon GuardDuty is intelligent threat detection service and helps you protect your AWS account whereas Amazon Inspector provides Vulnerability management solution for your EC2 workloads or ECR (Elastic Container Registry) images.
Both of these are managed security services and playing key role into securing your AWS cloud environment. Using both of these services in combination would be advisable for a better security posture.
After going in details, I hope you got basic idea about both of these services. In case you have any doubt, feel free to drop in comment.
Enjoyed the content?
Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.
If you liked reading my post, you can motivate me by-
- Adding a comment below on what you liked and what can be improved.
- Follow us on
- Share this post with your friends and colleagues.