Security: GuardDuty, Security Hub, IAM Access Analyzer
AWS has its own set of security services. ZEUS does not replace them — it reads from them and consolidates the results with other clouds. Let's get to know the three most important ones.
GuardDuty — threat detection
GuardDuty is a detection service based on machine learning and threat intelligence. It analyzes CloudTrail, VPC Flow Logs and DNS logs, generating findings about suspicious activity: compromised credentials, C2 communication, cryptocurrency mining, reconnaissance.
# Włącz GuardDuty w regionie
aws guardduty create-detector --enable
# Lista aktywnych findings
aws guardduty list-findings --detector-id <id> --output table
Findings have a severity (1-8) and a type, e.g. UnauthorizedAccess:EC2/SSHBruteForce.
Security Hub — a single set of findings
Security Hub aggregates findings from GuardDuty, Inspector, Macie and Access Analyzer in one format (ASFF). It also runs automated compliance checks against the AWS Foundational Security Best Practices, CIS Benchmark and PCI DSS.
aws securityhub enable-security-hub
aws securityhub get-findings \
--filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}]}' \
--output table
| Service | What it detects |
|---|---|
| GuardDuty | active threats (behavioral) |
| Inspector | CVE vulnerabilities in EC2/ECR |
| Macie | sensitive data (PII) in S3 |
| Access Analyzer | excessive/external access |
IAM Access Analyzer — excessive access
Access Analyzer detects resources (S3, IAM roles, KMS, queues) that are accessible from outside the account or organization — often through an oversight in the policies. It also shows unused permissions, which helps narrow down roles.
aws accessanalyzer create-analyzer \
--analyzer-name org-analyzer --type ORGANIZATION
aws accessanalyzer list-findings --analyzer-arn <arn> --output table
Tip: Access Analyzer is the best way to put least privilege into practice — it shows which permissions are actually being used and which can be removed without risk.
How ZEUS sees it
ZEUS integrates with these services through Boto3 (a read-only role with the
SecurityAudit policy). It pulls in:
- GuardDuty findings — into the shared SecOps queue, alongside alerts from Azure Defender and GCP SCC,
- Security Hub findings — so as not to duplicate scans AWS has already done,
- Access Analyzer results — to assess identity posture and excessive permissions.
Consolidation is the heart of ZEUS's value: a GuardDuty alert, a Security Hub misconfig and an excessive role from Access Analyzer all land in one queue with one prioritization model and MITRE ATT&CK mapping.
In the next lesson: cost control and tagging.