AWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEM
We explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.
The Design Philosophy of Native Integration
AWS's security service suite is not a collection of individual tools but is designed with mutual integration as a premise. GuardDuty detects threats, Security Hub aggregates and prioritizes those findings, Detective investigates root causes, and Macie identifies the location of sensitive data. This entire flow is completed using only AWS native services. In traditional on-premises environments, multiple security tools needed to be integrated around a SIEM (Security Information and Event Management). Log collection, normalization, correlation analysis, alert generation, and incident investigation each required different tools, and custom development for integration was essential. AWS's native integration dramatically reduces this integration cost. Each service exchanges data using the AWS Security Finding Format (ASFF), a common format, eliminating the need for additional configuration or custom development for inter-service integration.
GuardDuty - Continuous Threat Detection with Machine Learning
GuardDuty is a managed threat detection service that automatically analyzes VPC Flow Logs, CloudTrail management events, and DNS logs to detect malicious activity. Activation is completed with a single click, requiring no agent installation or log forwarding configuration. GuardDuty's detection accuracy is powered by AWS's massive threat intelligence and machine learning models. Beyond detecting communication with known malicious IP addresses and domains, it uses machine learning to detect unusual API call patterns and abnormal data transfer volumes. For example, if an IAM user who normally only operates in the Tokyo Region suddenly launches a large number of EC2 instances in the Virginia Region, GuardDuty detects this as anomalous. In 2023, EKS Runtime Monitoring was added, and in 2024, Malware Protection for S3 was introduced, expanding detection coverage to include container workloads and malware within storage.
Investigation Efficiency Through Security Hub and Detective Integration
Security Hub is a dashboard that centrally aggregates findings from multiple security services including GuardDuty, Inspector, Macie, and Firewall Manager. It automatically ingests ASFF-compliant findings and prioritizes them by severity. It also runs automated assessments against security standards such as CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices, visualizing compliance status. The typical workflow is to identify high-priority alerts in Security Hub, then transition to detailed investigation in Detective. Detective accumulates CloudTrail logs, VPC Flow Logs, and GuardDuty findings in a graph database, visually displaying relationships between entities. You can trace which IP address called which API through a specific IAM role in chronological order, rapidly identifying the scope and path of a breach. The fact that this investigation process is completed natively within AWS is a major advantage over third-party SIEMs.
Automated Sensitive Data Discovery with Macie
Amazon Macie is a service that automatically discovers sensitive data in S3 buckets using machine learning and pattern matching. It identifies over 100 data types including credit card numbers, national ID numbers, passport numbers, and API keys. Macie's value lies in solving the fundamental challenge that organizations "don't know where their sensitive data is." In large-scale environments where S3 bucket counts reach hundreds to thousands, manual sensitive data inventory is impractical. Macie automatically creates a bucket inventory, cataloging encryption status, public access settings, and the presence of sensitive data. Findings are automatically forwarded to Security Hub, so when sensitive data exists in an unencrypted bucket, it is immediately visible as a Security Hub alert. With GuardDuty detecting external threats and Macie detecting internal sensitive data risks, security visibility is covered from both external and internal perspectives.
Design Philosophy Comparison with Azure Sentinel
Azure Sentinel (now Microsoft Sentinel) is a cloud-native SIEM/SOAR platform with a fundamentally different design philosophy from AWS's security service suite. Sentinel takes the approach of aggregating logs into a Log Analytics workspace and analyzing them with KQL (Kusto Query Language). Its strength is multi-cloud support, capable of ingesting logs from not only Azure but also AWS, GCP, and on-premises environments. AWS's approach, on the other hand, is distributed, with each service specializing in its domain and integrating via ASFF. Sentinel uses consumption-based pricing tied to log ingestion volume, and costs can spike when analyzing large volumes of logs. GuardDuty's log ingestion costs are included in the service, so you don't need to worry about the volume of logs being analyzed. Sentinel's advantage lies in its deep integration with Microsoft 365 and Entra ID. The ability to holistically analyze email threat detection, identity-based attack detection, and endpoint EDR data is significant value for organizations leveraging the Microsoft ecosystem. For a systematic understanding of AWS native integration, related books on Amazon can also be useful.
Summary
AWS's security service suite is an integrated ecosystem where GuardDuty's threat detection, Security Hub's aggregation and prioritization, Detective's root cause investigation, and Macie's sensitive data discovery seamlessly integrate via ASFF. The entire security operations flow from detection to investigation is completed natively within AWS without deploying a third-party SIEM. Azure Sentinel has strengths in multi-cloud support and Microsoft ecosystem integration, but managing log ingestion costs is a challenge. AWS's approach offers the greatest advantages in the ease of immediately improving security visibility simply by enabling each service, and the low operational burden from automatic inter-service integration. For organizations looking to progressively mature their security operations, AWS's native integration provides a solid starting point.