What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS Security Monitoring Tools Compared: GuardDuty, CloudTrail, Security Hub & Beyond

AWS provides over a dozen native security services, each covering a specific monitoring domain. Third-party vendors offer hundreds more, ranging from cloud-native SIEM platforms to specialized compliance tools. For security engineers tasked with building a comprehensive monitoring stack, the challenge is not finding tools — it is understanding which tools cover which gaps, where they overlap, and which combinations provide genuine security coverage versus checkbox compliance.

This comparison evaluates the most relevant AWS security monitoring tools across their core capabilities, operational characteristics, and blind spots. The goal is not to rank them in a linear list, but to help you build a monitoring architecture that eliminates coverage gaps while avoiding redundant tooling.

Native AWS Security Monitoring Tools

Amazon GuardDuty

GuardDuty is AWS's managed threat detection service. It continuously analyzes CloudTrail management and data events, VPC Flow Logs, DNS query logs, and (with optional protection plans) S3 data events, EKS audit logs, Lambda network activity, and RDS login activity to identify threats.

GuardDuty's detection models are ML-based and continuously updated by AWS's threat intelligence team. The service detects credential compromise indicators (API calls from unusual locations, Tor exit nodes, known malicious IPs), unauthorized resource provisioning patterns, cryptocurrency mining activity, data exfiltration indicators (unusual S3 access patterns, DNS tunneling), and privilege escalation attempts.

The operational model is fully managed — there is no infrastructure to deploy, no rules to write, and no tuning required for baseline detection. GuardDuty supports multi-account deployment through delegated administrator configuration, centralizing findings from all organization accounts.

Where GuardDuty falls short is in detection specificity. It operates on behavioral anomaly detection, not signature-based rules. You cannot create custom detection rules for organization-specific threats. False positives — particularly for organizations with variable workload patterns — require suppression rules that can mask genuine threats if configured too broadly. GuardDuty also does not cover IAM configuration drift, compliance posture, or billing anomalies.

AWS CloudTrail

CloudTrail is not a monitoring tool in the traditional sense — it is an audit log. Every API call made in your AWS account is recorded with the identity of the caller, the source IP, the timestamp, the request parameters, and the response. This log is the evidentiary foundation for security investigation, compliance auditing, and operational troubleshooting.

CloudTrail's value for security monitoring depends entirely on what you build on top of it. Raw CloudTrail logs in an S3 bucket are useless for real-time detection. Feeding those logs into CloudWatch Logs enables metric filters and alarms on specific event patterns. Piping them through EventBridge enables near-real-time rule-based detection. Loading them into Athena or CloudTrail Lake enables ad-hoc forensic queries. Integrating them with a SIEM provides correlation with non-AWS data sources.

Organization trails capture events from all member accounts, making CloudTrail the authoritative data source for cross-account security investigation. The limitation is that CloudTrail records what happened — it does not evaluate whether what happened is good or bad. That judgment layer must be provided by GuardDuty, custom EventBridge rules, or external analysis.

AWS Security Hub

Security Hub serves two functions. It is a findings aggregator that normalizes and centralizes security findings from GuardDuty, Inspector, IAM Access Analyzer, Macie, Firewall Manager, and third-party integrations into the AWS Security Finding Format (ASFF). It is also a compliance evaluator that runs automated checks against security standards — CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices (FSBP), PCI DSS, and NIST 800-53.

Security Hub's primary value is operational consolidation. Without it, security findings from each service exist in isolated dashboards. Security Hub provides a single pane of glass with cross-account aggregation through delegated administrator deployment.

The limitation is that Security Hub does not generate original threat detections. It aggregates and evaluates — it does not discover. Its compliance checks are valuable but operate on configuration state (is MFA enabled, is CloudTrail configured correctly) rather than behavioral monitoring (is someone doing something suspicious right now). Security Hub is a necessary component of any AWS security monitoring architecture, but it is not sufficient on its own.

AWS Config

Config continuously records the configuration state of your AWS resources and evaluates that state against rules. It answers the question: are my resources configured the way I expect them to be? Config rules can be AWS-managed (pre-built checks for common compliance requirements) or custom (Lambda functions that evaluate arbitrary compliance logic).

Config is the backbone of compliance monitoring. It detects configuration drift — an S3 bucket that was private yesterday is public today, an IAM policy that met least-privilege standards was modified to include wildcard permissions, a security group that restricted SSH access was opened to 0.0.0.0/0.

Config's multi-account aggregator centralizes compliance data across an organization. Its limitation is latency — configuration changes are evaluated periodically (default up to several hours), not in real-time. For fast-acting threats, Config is a complement to, not a replacement for, event-driven monitoring through GuardDuty and EventBridge.

Amazon Inspector

Inspector performs automated vulnerability assessments on EC2 instances, Lambda functions, and container images in ECR. It scans for software vulnerabilities (CVEs), network reachability issues, and insecure configurations. Findings are scored using CVSS and fed into Security Hub.

Inspector is a vulnerability management tool, not a runtime monitoring tool. It tells you what could be exploited, not what is being exploited. It is essential for proactive security hygiene but does not provide the real-time threat detection that GuardDuty covers.

AWS IAM Access Analyzer

Access Analyzer identifies resources that are shared with external entities (cross-account access, public access) and analyzes IAM policies for unused permissions. It is the primary native tool for detecting overly permissive IAM configurations and unintended external access.

Access Analyzer findings should be integrated into Security Hub and reviewed as part of your IAM security monitoring process. Its scope is limited to access analysis — it does not monitor for active exploitation of the permissions it identifies.

Additional Native Services

Amazon Macie provides S3-focused data security monitoring, using ML to discover and classify sensitive data (PII, financial records, credentials) stored in S3 buckets. AWS Firewall Manager centralizes management of WAF rules, Shield Advanced protections, and security group policies across an organization. Amazon Detective assists with security investigation by automatically aggregating and visualizing CloudTrail, VPC Flow Logs, and GuardDuty findings into an interactive graph model.

Third-Party AWS Security Monitoring Tools

Third-party tools typically differentiate on cross-cloud support (monitoring AWS alongside Azure and GCP in a single platform), custom detection rules (writing organization-specific detection logic beyond what GuardDuty provides), SIEM integration (correlating AWS events with on-premises and SaaS security data), and advanced visualization and investigation workflows.

Popular options include Datadog Cloud Security Management, which provides real-time threat detection and compliance monitoring with infrastructure monitoring integration; CrowdStrike Falcon Cloud Security, which extends endpoint detection and response (EDR) to cloud workloads; Prisma Cloud by Palo Alto Networks, which offers CSPM, CWPP, and CIEM in a unified platform; and Wiz, which provides agentless cloud security scanning across compute, storage, and identity resources.

The tradeoff with third-party tools is cost and complexity. Native AWS tools are tightly integrated, often free or included in AWS pricing, and require minimal infrastructure. Third-party tools add per-asset or per-account licensing costs, require data export configurations, and introduce a dependency on an external vendor. The value proposition is strongest when you need cross-cloud coverage or when native tool limitations create unacceptable monitoring gaps.

Building a Complete AWS Security Monitoring Stack

No single tool — native or third-party — provides comprehensive AWS security monitoring. An effective stack layers tools by monitoring domain.

For threat detection, deploy GuardDuty in all accounts with delegated administrator for centralized findings. This covers credential compromise, unauthorized resource provisioning, network threats, and data exfiltration indicators.

For audit and investigation, configure an organization trail in CloudTrail with centralized log storage. Integrate with Athena or CloudTrail Lake for forensic queries. Pipe events to EventBridge for real-time custom detection rules.

For compliance monitoring, deploy Config with organization aggregator and conformance packs aligned to your regulatory standards. Security Hub aggregates compliance findings and provides standards-based scoring.

For vulnerability management, enable Inspector for EC2, Lambda, and ECR. Feed findings into Security Hub for centralized visibility.

For identity security, deploy IAM Access Analyzer for external access and unused permission detection. Supplement with custom CloudTrail monitoring for IAM policy changes, root account activity, and MFA status changes.

For account health monitoring, integrate billing anomaly detection, SES reputation metrics, service quota monitoring, and AWS Health Dashboard events into your monitoring pipeline.

Where the Gaps Remain

Even with every native tool deployed and configured, gaps remain. There is no native service that provides a unified risk score across security, compliance, cost, and operational health for each account. There is no built-in correlation between billing anomalies and security findings — a spike in EC2 costs and a GuardDuty finding for credential compromise are surfaced in different dashboards, and the operator must manually connect them. SES reputation monitoring and service quota tracking are isolated from the security monitoring pipeline. And multi-account monitoring requires significant custom infrastructure to aggregate signals into a coherent organizational view.

FAQ

What is the best AWS security monitoring tool?

There is no single best tool. AWS security monitoring requires a layered approach: GuardDuty for threat detection, CloudTrail for audit logging, Config for compliance monitoring, Security Hub for findings aggregation, and Inspector for vulnerability management. The most effective monitoring architectures combine these native tools with either custom integration logic or a platform that aggregates their outputs into a unified view.

Is AWS GuardDuty worth enabling?

Yes. GuardDuty provides ML-based threat detection with no infrastructure overhead and minimal cost relative to its coverage. It detects credential compromise, network threats, and unauthorized resource provisioning patterns that are difficult to catch with rule-based monitoring alone. Enable it in all accounts with delegated administrator configuration for centralized findings.

How does AWS Security Hub differ from GuardDuty?

GuardDuty generates threat detection findings based on behavioral analysis of CloudTrail, VPC Flow Logs, and DNS logs. Security Hub aggregates findings from GuardDuty and other services into a centralized dashboard and evaluates your environment against compliance standards. GuardDuty detects threats; Security Hub organizes findings and measures compliance. They are complementary, not competitive.

Do I need a third-party SIEM if I use AWS native security tools?

A third-party SIEM is most valuable when you need to correlate AWS security events with non-AWS data sources (on-premises logs, SaaS application events, endpoint telemetry) or when you need custom detection rules beyond what GuardDuty provides. If your environment is AWS-only and native tool coverage meets your requirements, a SIEM adds cost without proportional value. If you operate across multiple clouds or need advanced correlation, a SIEM fills gaps that native tools cannot.

How do I monitor AWS SES reputation to avoid account issues?

Monitor SES bounce rates and complaint rates through CloudWatch metrics in the AWS/SES namespace. Set alarms when bounce rates exceed 5% or complaint rates exceed 0.1% — the thresholds at which AWS begins restricting sending capability. Integrate SES reputation metrics into your broader account health monitoring to ensure that sending reputation issues are visible alongside security and billing health indicators.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Vigilare Engineering

Platform Team