Commonly Confused Services on SCS-C03

Deciding signal

GuardDuty continuously analyzes CloudTrail, VPC Flow Logs, and DNS logs for behavioral anomalies and known malicious patterns — it detects threats in progress. Inspector scans EC2 instances and container images for software vulnerabilities (CVEs) and unintended network exposure — it evaluates what could be exploited. Macie uses machine learning to discover, classify, and protect sensitive data in S3 — it identifies PII, financial data, and other regulated content. Security Hub is an aggregation and normalization layer that collects findings from GuardDuty, Inspector, Macie, and other services, then runs benchmark checks (CIS AWS Foundations, PCI DSS). Security Hub does not generate its own threat or vulnerability findings. When the scenario involves detecting unauthorized IAM API calls, GuardDuty. Software CVEs, Inspector. Sensitive data in S3, Macie. Single-pane-of-glass view of all findings, Security Hub.

Deciding signal

KMS is a managed service for creating and controlling encryption keys. AWS manages the underlying HSM infrastructure with FIPS 140-2 validated hardware. Keys never leave KMS unencrypted. It integrates natively with most AWS services. CloudHSM provides dedicated, single-tenant HSM hardware that you control — AWS does not have access to the keys. It is required when regulations mandate customer-exclusive key custody or when you need to run custom cryptographic operations not supported by KMS. Secrets Manager stores and automatically rotates credentials — it uses KMS to encrypt stored secrets but its purpose is secret lifecycle management (rotation, versioning, retrieval), not key management. When the scenario requires dedicated hardware with customer-exclusive key control, CloudHSM. When it requires encryption key management for AWS services, KMS. When it requires rotating database passwords or API keys, Secrets Manager.

Deciding signal

IAM defines permissions through policies attached to users, roles, and groups — permanent identity-based access control. STS issues temporary, short-lived credentials with configurable permissions — used when a principal assumes an IAM role, enabling cross-account access, federated identity, or time-bounded privilege. STS does not define permissions itself; it issues credentials scoped to the permissions of the role being assumed. SCPs are AWS Organizations policies applied to OUs or accounts that cap the maximum permissions available to all identities in that account — even root. SCPs do not grant permissions; they restrict what IAM can grant. When the scenario involves cross-account role assumption or federated access, STS. When it involves capping what any principal in an account can do, SCPs.

Deciding signal

CloudTrail records every API call — who, when, from where, and what resource was affected. It is the account activity audit trail for forensics and accountability. Config records the configuration state of resources over time and evaluates them against rules — it answers "was this S3 bucket publicly accessible at 14:00 on Thursday?" or "has this EC2 security group always had port 22 closed?" Security Hub aggregates findings from Config rules, GuardDuty, Inspector, Macie, and partner products, normalizes them into a standard format, and runs CIS/PCI benchmark checks. When the scenario involves proving that configurations were compliant at a specific point in time, Config. When it involves who made a specific API call, CloudTrail. When it involves a unified dashboard of security findings, Security Hub.

Deciding signal

AWS Certificate Manager (ACM) provisions, manages, and renews public TLS certificates for use with CloudFront, ALB, API Gateway, and other services — at no cost for certificates used with integrated services. ACM does not manage private PKI. AWS Private CA (formerly ACM PCA) is a managed private Certificate Authority that issues private certificates for internal services, device authentication, or code signing — where a public CA is not appropriate. CloudHSM provides dedicated HSM hardware for storing private keys and performing cryptographic operations; it is not a CA itself but can serve as the key store for Private CA. When the scenario involves TLS for public-facing load balancers with automatic renewal, ACM. When it involves issuing private certificates for internal services, Private CA. When it requires hardware-backed key storage with customer-exclusive access, CloudHSM.

Deciding signal

Artifact provides access to AWS's own compliance documentation: SOC reports, PCI DSS attestations, ISO certifications, and BAAs. When an auditor needs proof that AWS infrastructure meets a regulatory standard, Artifact provides it. Audit Manager automates the collection of evidence for your own compliance posture — it maps AWS activity to audit frameworks (HIPAA, SOC 2, PCI DSS) and produces audit-ready reports from your account's configuration and activity data. Config continuously evaluates your resources against defined rules and records configuration history — it is for ongoing compliance monitoring, not audit report generation. When the scenario asks for AWS's own certification documents, Artifact. When it asks for collecting compliance evidence about your workload, Audit Manager. When it asks for continuous rule-based configuration enforcement, Config.

Deciding signal

Cognito handles authentication for customer-facing web and mobile applications. It manages user pools (sign-up, sign-in, MFA), issues JWTs, and federates with social providers and enterprise IdPs via SAML and OIDC. IAM Identity Center is for workforce identities — employees accessing AWS accounts or business applications through the AWS access portal. It integrates with Active Directory, Okta, and other enterprise IdPs to provide SSO across multiple AWS accounts and SaaS applications. The distinction is the user type: external customers using your application (Cognito) versus internal employees accessing AWS accounts (IAM Identity Center).

Deciding signal

GuardDuty continuously monitors logs for anomalies and known threat patterns in near real-time, generating findings when it detects a threat — it is the detection layer. Amazon Detective helps security analysts investigate GuardDuty findings (and Security Hub findings) by providing a graph model of entity relationships, activity timelines, and statistical baselines. Detective answers "what happened around this finding, which resources were involved, and is this anomalous compared to historical behavior?" GuardDuty finds the threat; Detective helps you understand it. When the scenario involves detecting that a resource has been compromised, GuardDuty. When it involves investigating and understanding the scope and context of an existing finding, Detective.

Deciding signal

Gateway Endpoints for S3 and DynamoDB add route table entries that route traffic to the service through the AWS backbone without traversing the internet. They are free and provide network-path privacy. Interface Endpoints (PrivateLink) for S3 create ENIs with private IPs and enable private DNS resolution — they support on-premises access over Direct Connect or VPN and enable access to specific bucket regions. Resource-based S3 bucket policies control who can access the bucket and can restrict access to only traffic originating from a specific VPC or endpoint. Gateway Endpoint is the network path; bucket policy is the access control. Both are often needed together: the endpoint provides the private network path; the bucket policy enforces that only that path is used.

Deciding signal

WAF inspects HTTP/HTTPS requests against rules you define — it blocks specific malicious requests like SQL injection, XSS, or requests from specific IP ranges. Shield Advanced provides volumetric DDoS protection with the Shield Response Team (SRT), financial protection from scaling costs during DDoS events, and advanced detection for sophisticated attacks. Firewall Manager is the control plane that centrally manages WAF rules, Shield Advanced enrollment, Network Firewall policies, and security group policies across multiple accounts and VPCs. It requires Organizations. When the scenario involves blocking specific web attack patterns, WAF. When it involves absorbing large-scale DDoS, Shield Advanced. When it involves applying WAF or Shield policies consistently across an entire organization, Firewall Manager.