Skip to main content
emnode / learn
Compliance

Enable threat detection and vulnerability scanning

One capability across GuardDuty, Inspector, Macie and ECR: turn on the AWS-native services that watch for compromise, scan for known vulnerabilities, and find sensitive data, so a problem is detected automatically rather than discovered by accident.

14 min·10 sections·AWS

Last reviewed

Remediates AWS Security Hub: ECR.1GuardDuty.1GuardDuty.10GuardDuty.11GuardDuty.13Inspector.1Inspector.2Inspector.3Inspector.4Macie.1Macie.2

Threat detection and scanning: the basics

Why four different services add up to one capability

AWS ships several managed detection services, each watching a different part of the estate. GuardDuty is the threat-detection layer: it continuously analyses CloudTrail events, VPC Flow Logs and DNS query logs for the signatures of a compromise, with optional protection plans for S3, EKS, RDS, Lambda, malware and runtime activity. Amazon Inspector is the vulnerability scanner: it checks EC2 instances, ECR container images and Lambda functions against the known-CVE feed. Amazon Macie is the data-classification service: it inventories S3 bucket security and, on demand, scans object contents for PII and credentials. ECR image scanning sits alongside, flagging vulnerable packages in container images before they ship.

AWS Security Hub turns each of these into its own control, which is why a single estate can fail a dozen detection checks at once. GuardDuty.1 covers the base detector and GuardDuty.10, GuardDuty.11 and GuardDuty.13 cover its protection plans; Inspector.1 through Inspector.4 cover the scanning sub-features; Macie.1 and Macie.2 cover data discovery; ECR.1 covers image scanning. They read as separate findings on the report, but they are one capability: make sure the services that would notice a problem are switched on, everywhere they need to be.

The reason this matters is the silent failure mode. A misconfigured bucket throws an error you can see; a detection service that was never enabled throws nothing at all. The job is to enable each service across every account and Region, route it through delegated administration so new accounts inherit it automatically, and wire the findings into a workflow that someone actually owns, rather than letting an empty dashboard stand in for security.

In this lesson you will learn what each AWS detection service inspects, why the controls in this group share a single root cause (a service that was never enabled detects nothing), and how to turn them on across every account and Region using delegated administration so coverage survives growth. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The Region nobody used, and the CVE published twelve hours ago

Two patterns recur in detection failures. The first: attackers who steal AWS credentials spin up GPU instances in Regions a company never uses, precisely because no detector is watching there, and the first signal is a five-figure bill. The second: when a critical CVE like Log4Shell is published, customers who already had Inspector enabled saw the affected instances in their findings list before the end of the same business day, while everyone else spent the week running find by hand. The thread joining them is that detection is worthless the moment it is off in the place that matters, and almost free in the idle Regions where attackers prefer to hide.

Finding detection gaps across an estate

Devin is the security engineer rolling out a Security Hub baseline across a 40-account AWS Organization. The detection controls are failing in most accounts: GuardDuty was enabled in only two, Inspector in none, and Macie nowhere.

Rather than work the findings one by one, he starts by listing which accounts and Regions have a GuardDuty detector at all, so he can see the true size of the gap before enabling anything org-wide.

Start with the foundation: is GuardDuty even enabled in this account and Region? An empty list is the failing state GuardDuty.1 flags.

$ aws guardduty list-detectors --output json
{
"DetectorIds": []
}
# Empty list = no detector = GuardDuty.1 FAILED, and every protection plan is off too.

An empty DetectorIds array means GuardDuty has never been enabled here, which cascades into every per-feature check failing as well.

How AWS detection services are structureddeep dive

Every service in this group is regional and per-account: there is no single global switch. A GuardDuty detector in us-east-1 sees nothing happening in eu-north-1, Inspector is enabled per Region, and Macie runs per account. This is why the controls evaluate per account and Region, and why AWS recommends enabling detection in every supported Region, even idle ones, where the data volume and therefore the cost is negligible but the attacker incentive is highest. Keep a detector in us-east-1 specifically so GuardDuty sees CloudTrail events for global services like IAM.

At any scale beyond a handful of accounts you do not enable these one by one. Each service supports delegated administration from the AWS Organizations management account: you designate a dedicated security account as the delegated admin, enable the service for all existing members, and set auto-enable so newly-created accounts get coverage on day one. Without auto-enable, the controls silently re-fail every time someone creates a new account. GuardDuty uses update-organization-configuration, Inspector uses update-organization-configuration with per-feature flags, and Macie and ECR follow the same delegated-admin pattern.

The services build on each other and on prerequisites. GuardDuty.1 (the base detector) must exist before any protection plan; Inspector EC2 scanning depends on the SSM agent reporting on each instance (SSM.1), because Inspector reads its package inventory from SSM. Security Hub evaluates all of this through AWS Config on a periodic cycle, so a fix does not flip a finding to PASSED instantly; the control plane change is immediate, but the report catches up on the next evaluation.

What is the impact of leaving detection disabled?

The direct impact is blindness. With no detector, an attacker who obtains valid credentials can enumerate resources, exfiltrate data and launch instances with no automated finding raised. With no vulnerability scanner, a critical CVE on a production host stays invisible until somebody scans by hand, a customer asks, or an exploit lands. With no data discovery, you cannot answer the first question after any exposure: what data was in there? The loud signals (a billing spike, a breach notice) arrive late and by accident, which is exactly what these services exist to prevent.

The second-order impact is incident cost that scales with detection time. The incidents these services catch early, credential theft leading to mining, an exploited CVE, a public bucket of PII, are precisely the ones whose financial damage grows the longer they run undetected. Caught in minutes via a finding wired to an alert, a compromise is contained and cheap. Caught weeks later via the invoice or a regulator, the same event is the full weight of breach response.

On the compliance side, every modern framework, SOC 2, ISO 27001, HIPAA, PCI DSS and FedRAMP, expects evidence of continuous threat detection, vulnerability scanning and a data inventory. A passing set of detection controls across every account is a cheap, defensible artefact to hand an auditor, and the single most common gap is the idle Region or the new account that nobody remembered to enrol.

How do you enable detection across the estate?

Work the capability as one rollout rather than chasing individual findings. The order matters: forecast the cost, delegate administration, enable everywhere with auto-enable, then wire findings into a workflow that has an owner.

1. Forecast the cost before flipping it on everywhere

Enable GuardDuty, Inspector and Macie in two or three representative accounts (one busy production, one quiet sandbox) and use the per-account free trials and published per-resource rates to project the org-wide number. Share the forecast with finance and get the line approved deliberately. Detection is the rare security spend where surprises erode trust in the whole programme, so size it first.

2. Delegate administration to a security account

Do not manage detectors account-by-account. From the AWS Organizations management account, designate a dedicated security tooling account as the delegated administrator for GuardDuty, Inspector and Macie. This gives one account central visibility of every member's findings and the authority to enable and configure detection org-wide, which is how you keep these controls passing at scale.

3. Enable everywhere with auto-enable, including idle Regions

From the delegated admin, enable each service for all existing member accounts and set auto-enable so new accounts get coverage on day one. Repeat per Region for every Region you operate in plus the idle ones AWS recommends covering, since a detector in an idle Region costs almost nothing and closes the exact gap attackers exploit. Confirm Inspector's SSM prerequisite is met so scanned instances are actually visible.

4. Wire findings to an owner and scope the metered parts by risk

A scanner with no response process is theatre. Route HIGH and CRITICAL findings via EventBridge into the team's ticket queue with a defined SLA for critical issues. For Macie, keep the free bucket inventory on everywhere but tier sensitive-data discovery: scan high-risk operational buckets on a cadence, sample large low-risk data lakes, and do not run untargeted full-account scans.

# Enable the GuardDuty base detector in every Region (run from the delegated admin account).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  existing=$(aws guardduty list-detectors --region "$region" --query 'DetectorIds[0]' --output text)
  if [ "$existing" = "None" ]; then
    aws guardduty create-detector --enable \
      --finding-publishing-frequency FIFTEEN_MINUTES --region "$region"
    echo "$region: GuardDuty detector created"
  fi
done

# Turn on Inspector EC2/ECR/Lambda scanning for this account and Region.
aws inspector2 enable --resource-types EC2 ECR LAMBDA

# Enable Macie (free bucket inventory clears Macie.1; discovery jobs are scoped separately by risk).
aws macie2 enable-macie --status ENABLED --finding-publishing-frequency FIFTEEN_MINUTES

Quick quiz

Question 1 of 5

Security Hub shows detection failures across GuardDuty, Inspector and Macie. What is the most efficient way to think about them?

You can now treat threat detection and scanning as one capability rather than a scatter of findings: forecast the cost, delegate administration to a security account, enable GuardDuty, Inspector, Macie and ECR scanning across every account and Region with auto-enable, and wire findings into a workflow that has an owner. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

Part of the learning path See what's happening

Related compliance lessons