Perhaps, like me, you’ve already studied each of these AWS security services and have a basic grasp of what they do. However, when confronted with a specific scenario threatening your application, things start to get a little fuzzy. Don’t worry. You’re in the right place.
Let’s get the ball rolling with a little review. Macie scans S3 for vulnerabilities, Inspector scans running applications in EC2, and GuardDuty is kind of like a firewall. Ready to sit the exam? Me neither.
sips coffee, adjusts light-bar, puts gamer throne into foreword position
Take a look at this basic comparison table:
| Macie | Inspector | GuardDuty | |
|---|---|---|---|
| Primary Focus | Data Security and Privacy | Vulnerability management | Threat detection |
| Data Source | S3 | EC2, ECR, Lambda | CloudTrail, VPC Flow Logs, DNS logs |
| Analysis | ML for data classification | Automated scanning | ML and anomaly |
In other words,
• Macie specializes in scanning S3 for unencrypted data, and sensitive information such as credit card numbers, social security numbers, API keys, or other personal information.
• Inspector scans your infrastructure for weaknesses, such as open ports, outdated packages that require updating, and other deviations from best practices.
• GuardDuty keeps an active lookout for incoming threats by analyzing traffic and looking for anything suspicious.
When analyzing the exam question, pay attention to keywords that correspond with the data source and primary focus of the security concern.
| Macie | Inspector | GuardDuty | |
|---|---|---|---|
| Primary Focus | Data Security and Privacy | Vulnerability management | Threat detection |
| Data Source | S3 | EC2, ECR, Lambda | CloudTrail, VPC Flow Logs, DNS logs |
| Analysis | ML for data classification | Automated scanning | ML and anomaly |
Be mindful that the exam is likely to contain DISTRACTORS- that is, the use of keywords that are specifically intended to throw off the exam candidate. DON’T focus on single keywords, but use the keywords to infer WHERE in the application the vulnerability lies.
• Macie focuses on the storage layer.
• Inspector focuses on the application layer.
• Guard Duty focuses on the network layer.
Let’s look three hypothetical examples:
EXAMPLE 1:
You are a solutions architect working for an e-commerce startup. The company has a three-tier application, with EC2 and RDS in private subnets, and an ALB in a public subnet. Compliance regulations require that credit card information be removed from receipts in S3 before data is moved to Glacier for long term record keeping. How can you ensure that compliance is being met?
A. Implement Amazon Macie to scan S3 buckets.
B. Use Amazon Inspector to identify software vulnerabilities that could leak credit card numbers.
C. Set up Amazon GuardDuty to identify financial information going in or out of the VPC.
D. Configure WAF to block traffic between EC2 and S3, thus preventing the transit of personal information.
CORRECT ANSWER:
We can easily dismiss option D because WAF intercepts traffic before it reaches the load balancer, not between application layers. While the question does mention EC2 and RDS, we need to focus on checking compliance, so option B is out. Finally, we can dismiss option C because we are not monitoring traffic. We can arrive at option A because we are scanning S3 for personal information.
EXAMPLE 2:
An organization has recently migrated it’s Oracle database to AWS RDS using Amazon Database Migration Service. The organization still maintains on-premise hardware that connects to AWS through Direct Connect VPC peering. Recently, unauthorized API calls have been made to the RDS database. As the solutions architect, how can you track and analyze these unauthorized calls?
A. Implement Amazon Macie to scan the storage layer.
B. Use Amazon Inspector to identify open ports in the hybrid architecture.
C. Set up Amazon GuardDuty to identify suspicious activity.
D. Configure WAF to block all API calls from the public internet.
CORRECT ANSWER: While option B sounds like a solid answer, the question is specifically about how to track and analyze suspicious traffic, not about scanning for vulnerabilities. This also eliminates option A. While option D might stop unauthorized access, it doesn’t help us track or analyze. The only answer is option C. GuardDuty helps us track and analyze all traffic in and out of our VPC.
EXAMPLE 3:
A company has a legacy application running on a fleet of EC2 instances. The software packages cannot be upgraded and the application must be kept isolated from other services. It’s necessary ensure that package versions do not change, and quickly detect them if they do. Which AWS service can help the cloud engineer prevent a future application crash?
A. Search AWS Marketplace to purchase an AMI with the most recent updates.
B. Set up Amazon GuardDuty to detect incoming OS updates.
C. Use Amazon inspector to scan EC2 for correct package versions.
D. Implement Amazon Macie to scan and detect API keys being used to access OS updates.
CORRECT ANSWER: AWS Inspector is best suited for scanning package versions and ensuring that the legacy application is consistent and stable. The answer is C.
To summarize, memorization of basic AWS services is not enough alone to pass the SAA-CO3 exam. Exam candidates must demonstrate hypothetical knowledge about specific service usage and service configurations in real life scenarios.
So where to go from here? Why not write your own exam questions and tag me?
dislodges self from gamer throne to groom neckbeard
Top comments (0)