Detective Tooling Bundle

Amazon CloudWatch and AWS Trusted Advisor — the generic, foundational observability and best-practice-checking layer that almost every other security service in this study set quietly relies on or gets compared against. Neither is a dedicated "security service" the way GuardDuty or Inspector are, but both show up constantly as integration points, distractors, and standalone exam targets in their own right.

Note: IAM Access Analyzer — originally grouped under "Detective Tooling" — is covered in the IAM & Governance Bundle, since it's structurally an IAM capability. This file focuses on CloudWatch and Trusted Advisor.

Detective — primary role Governance — best-practice checks Responsive — alarm-driven automation

ML-powered

CloudWatch Logs anomaly detection

500

Log anomaly detector quota per account

482

Trusted Advisor checks at Business Support+

56

Checks available on every support plan

The Core Mental Model — Generic Observability vs Specialized Detection

Two Tools, One Shared Role: The Foundation Everything Else Builds On

CloudWatch — the GENERIC metrics, logs, and alarms backbone. Every other security service in this study set (GuardDuty, Inspector, Macie, Config, CloudTrail) either feeds CloudWatch Logs, gets monitored via CloudWatch alarms/metric filters, or both. It has no inherent knowledge of "security" — it's the substrate other services route signal through, plus a powerful first-party ML anomaly detection capability of its own.
Trusted Advisor — automated, opinionated BEST-PRACTICE checking across cost, performance, security, fault tolerance, service limits, and operational excellence. Conceptually overlaps with Config and Security Hub CSPM (all three evaluate configuration against rules), but Trusted Advisor is GENERAL AWS best practice, support-plan-gated, and broader than just security — not a dedicated, deeply-configurable compliance-framework engine the way Security Hub CSPM is.

⚠️ The Recurring Exam Theme

Questions here test whether you know these are GENERIC tools layered underneath the specialized security services already covered, not replacements for them. CloudWatch alarms can detect a metric threshold breach, but they don't understand "this is a credential compromise" the way GuardDuty does — you have to build that logic yourself via metric filters/alarms. Trusted Advisor's security checks are real but limited and support-plan-gated — it complements, but doesn't replace, Config or Security Hub CSPM for deep, customizable compliance evaluation.

Exam Domain Mapping

Domain	Where This Bundle Shows Up
Security Logging & Monitoring	The centerpiece — metric filters, alarms, Logs Insights, anomaly detection
Threat Detection & Incident Response	Custom alarm-driven response patterns, EventBridge integration for automated remediation
Management & Security Governance	Trusted Advisor's security category checks, Organizational View for multi-account visibility

Decision Tree — Mental Model

Threat

A metric crossing an unsafe threshold; unusual patterns in log volume/content that no specialized service is watching for; basic AWS misconfigurations (public S3 buckets, open security group ports, missing root MFA) going unnoticed

↓

Security Goal

Generic, broad-coverage observability and best-practice checking underneath/alongside the specialized detection services

↓

AWS Service

The Detective Tooling Bundle

CloudWatch metrics + alarms CloudWatch Logs Insights + anomaly detection Trusted Advisor security checks Organizational View

↓

Implementation

Build metric filters/alarms on security-relevant log patterns; enable CloudWatch Logs anomaly detection on critical log groups; ensure Business Support+ (or higher) for full Trusted Advisor security check coverage; enable Organizational View for multi-account rollup.

↓

Monitoring

CloudWatch alarms → SNS/EventBridge; Trusted Advisor refreshed checks (automatic on Business Support+, manual on Basic/Developer) surfaced via API/console/EventBridge.

↓

Remediation

EventBridge-triggered Lambda on alarm/check state change; manual remediation guided by Trusted Advisor's specific recommendation per check.

Final Summary

Must Memorize

CloudWatch is the generic substrate other security services route into — it has no inherent security-specific intelligence of its own beyond what you build (alarms/filters) or its own ML anomaly detection features
CloudWatch Logs anomaly detection is ML-powered, free to create detectors, with a default quota of 500 per account
Trusted Advisor's FULL check set (482 total) requires Business Support+ or higher; free/Basic-Developer tiers get only 56 checks (service limits + select security)
Trusted Advisor security checks (free tier) include: public S3 buckets, public EBS/RDS snapshots, unrestricted security group ports, root MFA status
Basic/Developer Support plans require MANUAL refresh of Trusted Advisor checks; Business Support+ and above refresh automatically

Must Understand

Why CloudWatch alarms require YOU to define the threshold/pattern, unlike GuardDuty's pre-built ML threat detection
The conceptual overlap and distinction between Trusted Advisor, Config, and Security Hub CSPM — all evaluate against best practices/rules, at different depths of customization
The Organizational View pattern for rolling up Trusted Advisor findings across an entire AWS Organization

Can De-prioritize

Exact dollar pricing per alarm type
Full list of all 482 Trusted Advisor checks
Console UI navigation specifics

Exam appearance probability: MEDIUM

Core Services — Deep Dive

CloudWatch Core Concepts The generic substrate

MetricsTime-series data points published by AWS services or custom applications — the raw measurements alarms evaluate

Metric filtersPattern-matching rules applied to CloudWatch Logs that turn matching log lines into a CloudWatch METRIC (e.g. count of "AccessDenied" occurrences per minute)

AlarmsWatch a metric (standard threshold OR anomaly detection band) and transition between OK/ALARM/INSUFFICIENT_DATA states, triggering notifications/actions on state change

Composite alarmsCombine multiple existing alarms using AND/OR logic into one higher-level alarm — reducing noise from correlated, simultaneous alarm firing

The classic security pattern: trail delivers events to CloudWatch Logs → a metric filter matches a sensitive pattern (root account usage, unauthorized API calls, security group changes) → an alarm fires → SNS notifies the team or EventBridge triggers automated response.

CloudWatch Metric Anomaly Detection ML-based banded thresholds

What it doesBuilds a statistical model of a metric's normal behavior over time, generating an expected "band" of normal values — alarms can trigger when the metric falls OUTSIDE that band, rather than against a single fixed threshold

Anomaly detection thresholdA configurable sensitivity value — higher creates a thicker, more tolerant "normal" band; lower creates a thinner band that alarms on smaller deviations

Metric math supportAnomaly detection can also be applied to METRIC MATH expressions (combinations/calculations across multiple metrics), not just raw single metrics — including support for Prometheus-compatible metrics via PromQL functions

Model warm-upFor a brand-new model, it can take up to 3 hours before the actual anomaly detection band appears/becomes usable

"Detect an unusual deviation in a custom application metric, without manually setting and tuning a fixed numeric threshold" → CloudWatch metric anomaly detection.

CloudWatch Logs, Insights & Logs Anomaly Detection High — ML-powered, exam-fresh refinements

CloudWatch Logs InsightsA purpose-built query language for ad-hoc, interactive analysis directly against log data

Log classesStandard ($0.50/GB) vs Infrequent Access ($0.25/GB, half the cost) — as of early 2026, Infrequent Access logs support FULL Logs Insights querying, making it the recommended default for application logs that don't need real-time alarming

Log anomaly detectionML-powered — automatically infers PATTERNS in log data (treating dynamic tokens like error codes, IPs, timestamps, request IDs as variable parts of a pattern), trains a model on those patterns, then flags significant fluctuations as anomalies after the training period; each anomaly is assigned a priority

CostCreating log anomaly detectors does NOT incur a charge

Default quotaIncreased from 10 to 500 log anomaly detectors per account (Oct 2024)

On-demand anomaly queriesThe anomaly command in Logs Insights queries lets you find unusual patterns ON-DEMAND (not just via a continuously-running detector) — detecting five types of anomalies including pattern frequency changes, new patterns, and token variations

EncryptionLog anomaly detector models and their results can be encrypted with AWS KMS

"Identify a brand-new, never-before-seen error pattern appearing in our application logs, without manually writing a filter pattern for something we don't yet know to look for" → CloudWatch Logs anomaly detection (it specifically catches NEW patterns, not just frequency changes in known ones).

AWS Trusted Advisor Support-plan-gated best-practice checks

CategoriesCost Optimization, Performance, Security, Fault Tolerance, Service Limits, Operational Excellence

Check status colorsGreen (no problem), Yellow (investigation recommended), Red (action recommended), Gray (excluded items)

Free / Basic / Developer Support tierAll accounts get 56 checks: full Service Limits category, plus SELECT Security checks (public S3 buckets, public EBS/RDS snapshots, unrestricted security group ports, root account MFA status)

Business Support+ and aboveUnlocks the FULL 482-check set across all six categories

Refresh behaviorBusiness Support+ and above: automatic refresh. Basic/Developer Support: MUST manually refresh Security category checks

Config-powered checks64+ checks (added 2023) are powered by underlying AWS Config managed rules — automatically reflecting findings if Config is enabled, available to Business/Enterprise-tier customers

Organizational ViewAggregates Trusted Advisor findings across an ENTIRE AWS Organization — requires Organizations with all features enabled plus a supported Support plan

Support plan restructuring (2026): Developer Support, Business Support, and Enterprise On-Ramp are being discontinued January 1, 2027, with customers steered toward Business Support+ (delivering AI-powered assistance) or Enterprise Support (with a reduced $5,000 minimum, down from $15,000). This is a live transition worth knowing exists, even if exact pricing isn't exam-critical.
"Determine, at no incremental support-plan cost, whether our root account has MFA enabled and whether any S3 buckets are public" → Trusted Advisor's free-tier security checks satisfy this without needing Business Support+.

AWS Exam Thinking

Requirement → Keywords → Expected Answer → why every distractor fails.

Alert the team in near real-time when "root account login" appears in CloudTrail logs

root account usagenear real-time alert

Expected Answer

CloudTrail → CloudWatch Logs → metric filter → alarm → SNS

Distractor	Why it's wrong
GuardDuty	Could ALSO detect anomalous root usage via its own ML, but the SPECIFIC, deterministic "this exact pattern occurred" alerting is the textbook metric-filter-and-alarm pattern
Trusted Advisor	Checks root MFA STATUS (a static configuration check), not real-time LOGIN EVENT alerting

Catch a brand-new, previously unseen error pattern in application logs without writing a filter for it in advance

never-before-seen patternno pre-written filter

Expected Answer

CloudWatch Logs anomaly detection

Distractor	Why it's wrong
A manually written metric filter	By definition requires you to already know the pattern to write the filter — can't catch something genuinely new

Check, at zero incremental support-plan cost, whether any S3 buckets are publicly accessible or root MFA is missing

no incremental costbasic security posture check

Expected Answer

Trusted Advisor (free-tier security checks)

Distractor	Why it's wrong
Security Hub CSPM	A real, deeper option, but introduces its own per-check evaluation cost — not the "zero incremental cost" answer the requirement specifically calls for

Get a single, consolidated view of Trusted Advisor findings across every account in an AWS Organization

org-wide rollupconsolidated view

Expected Answer

Trusted Advisor Organizational View

Distractor	Why it's wrong
Manually checking Trusted Advisor in each account individually	Doesn't scale and defeats the purpose of a consolidated view that Organizational View provides natively

Integrations

AWS CloudTrail

WhatA trail can stream events to CloudWatch Logs, enabling metric filters/alarms on specific API activity patterns

Amazon SNS

WhatThe standard notification target when a CloudWatch alarm transitions to ALARM state

Amazon EventBridge

WhatBoth CloudWatch alarm state changes and Trusted Advisor check status changes can be routed through EventBridge for automated, programmatic remediation workflows

AWS KMS

WhatEncrypts CloudWatch Logs anomaly detector models and their results

AWS Config

WhatPowers 64+ Trusted Advisor checks directly — Trusted Advisor reflects findings from deployed Config managed rules automatically when Config is enabled

AWS Organizations

WhatRequired (with all features enabled) for Trusted Advisor's Organizational View, consolidating findings across every member account

Costs, Limits & Quotas

Pricing Model

Standard resolution alarms~$0.10/alarm/month (60-second evaluation)

High-resolution alarms~$0.30/alarm/month (10 or 30-second evaluation)

Anomaly detection alarms~$3.00/alarm/month

Composite alarms~$0.50/composite alarm/month

CloudWatch Logs — Standard class~$0.50/GB after a 5GB/month free tier

CloudWatch Logs — Infrequent Access class~$0.25/GB — half of Standard, now with full Logs Insights query support (early 2026+)

CloudWatch Logs anomaly detectorsNo charge to create

Trusted AdvisorIncluded with the relevant AWS Support plan — no separate per-check charge

Common Cost Mistakes

Using the Standard log class for high-volume application logs that don't need real-time alarm evaluation, when Infrequent Access (now with full Logs Insights support) would cost half as much
Creating anomaly detection alarms broadly across many low-priority metrics, given their meaningfully higher per-alarm cost (~$3.00) vs standard alarms (~$0.10)
Assuming Trusted Advisor's full security check set is available without verifying the account's actual Support plan tier

Cost Optimization

Use Infrequent Access log class for logs primarily queried after the fact rather than alarmed on in real time
Reserve anomaly detection alarms for genuinely variable, hard-to-threshold metrics rather than using them as a default for every alarm
Use composite alarms to reduce notification noise/cost from correlated individual alarms firing together

Limits & Quotas

Log anomaly detectorsDefault quota of 500 per account (increased from 10 in October 2024)

New anomaly model warm-upUp to 3 hours before the detection band appears for a brand-new metric model

Trusted Advisor free-tier checks56 checks total (Service Limits + select Security) on Basic/Developer Support

Trusted Advisor full check set482 checks, requiring Business Support+ or higher

⚠️ Exam trap

On Basic or Developer Support, Trusted Advisor's Security category checks do NOT refresh automatically — they must be manually refreshed, meaning a stale check result could mask a recently introduced misconfiguration if no one remembers to refresh it.

Best Practices & Common Exam Traps

8 — Best Practices

Must Know

CloudWatch has no inherent security intelligence — alarms/filters require YOU to define what to watch for
CloudWatch Logs anomaly detection is ML-powered, free to create, catches genuinely NEW patterns, not just threshold breaches
Trusted Advisor's full 482-check set requires Business Support+; free tier gets only 56 (Service Limits + select Security)
Basic/Developer Support requires MANUAL refresh of Trusted Advisor Security checks
Organizational View requires Organizations with all features enabled + a supported Support plan

Good Practice

Build metric filters/alarms on CloudTrail-derived security-relevant log patterns (root usage, unauthorized API calls)
Enable CloudWatch Logs anomaly detection on critical, high-signal log groups
Route both CloudWatch alarms and Trusted Advisor check changes through EventBridge for automated response
Verify Support plan tier covers the Trusted Advisor security checks your compliance posture actually depends on

Advanced Practice

Use composite alarms to reduce noise from correlated individual alarm firings
Use the on-demand anomaly Logs Insights command for ad-hoc investigation during incident response, not just continuous detectors
Leverage Config-powered Trusted Advisor checks for automatic reflection of Config managed rule findings without separate setup
Use Infrequent Access log class with full Logs Insights support for cost-efficient long-term log retention without sacrificing query capability

9 — Common Exam Traps

Misconception	Reality
"CloudWatch automatically knows what 'malicious' activity looks like, like GuardDuty does"	False — CloudWatch alarms/filters only watch for whatever pattern/threshold YOU explicitly define; its anomaly detection is statistical, not threat-intelligence-driven
"All Trusted Advisor checks are available on every Support plan"	False — only 56 of 482 checks are available below Business Support+; the rest require that tier or higher
"Trusted Advisor checks always refresh automatically"	Only true on Business Support+ and above — Basic/Developer Support requires manual refresh of Security category checks
"Trusted Advisor is a full replacement for AWS Config or Security Hub CSPM"	It's broader (covers cost/performance too) but shallower on security-specific depth and customization — complementary, not a replacement
"CloudWatch Logs anomaly detection costs extra to set up"	Creating log anomaly detectors does not incur a charge — standard CloudWatch Logs ingestion/storage costs still apply, but the detector itself is free

Lookalike Comparisons

Comparison	What actually differs
CloudWatch vs GuardDuty	Generic, define-it-yourself metric/log monitoring vs purpose-built, pre-trained ML threat detection across curated AWS-native data sources
CloudWatch metric anomaly detection vs Logs anomaly detection	Statistical "normal band" around a numeric METRIC vs ML-inferred PATTERN analysis of log TEXT, including detecting genuinely new patterns
Trusted Advisor vs AWS Config	Broad, opinionated, support-plan-gated best-practice checks across 6 categories (cost/performance/security/etc.) vs a deep, fully customizable configuration-rule evaluation engine you can extend with your own custom rules
Trusted Advisor vs Security Hub CSPM	General AWS best practices, broader scope beyond just security vs standards-mapped (CIS/PCI/NIST/FSBP), security-specific, continuously-scored compliance framework
CloudWatch Logs Standard vs Infrequent Access class	Full price, optimized for real-time alarming vs half price, optimized for less time-sensitive logs, now also supporting full Logs Insights querying

Flashcards — 15 Cards

Click card to flip. Mark right or wrong to track score.

Click to reveal answer

1 / 15

Mark: Score: 0/0

Practice Quiz — 8 Questions

SCS-C02 scenario style, Easy → Specialty. Select an answer to reveal the explanation.

out of 8 correct