Free AWS Security Whitepaper
    Toc Consulting Logo
    compareguardduty-vs-inspector-vs-macie-vs-securityhub
    SECURITYPublished 2025-09-15Updated 2025-12-10
    Amazon GuardDutyAmazon GuardDuty
    vs
    Amazon InspectorAmazon Inspector
    vs
    Amazon MacieAmazon Macie
    vs
    AWS Security HubAWS Security Hub

    GuardDuty vs Inspector vs Macie vs Security Hub

    Which AWS security service do you actually need?

    Four AWS security services that everyone confuses. GuardDuty detects threats, Inspector finds vulnerabilities, Macie discovers sensitive data, and Security Hub aggregates it all. Here is exactly when to use each - and why you probably need all four.

    Service Overview

    Amazon GuardDuty

    Amazon GuardDuty

    Threat Detection

    Detects active threats and attack sequences in real-time

    TypeReal-time threat monitoring
    Pricing~$4/M events (CloudTrail), ~$1/GB (VPC Flow Logs & DNS)
    Amazon Inspector

    Amazon Inspector

    Vulnerability Management

    Finds CVEs in EC2, Lambda, ECR + SAST/IaC scanning

    TypeAutomated vulnerability scanning
    Pricing~$1.26/instance/month (EC2), ~$0.30/function/month (Lambda)
    Amazon Macie

    Amazon Macie

    Data Security

    Discovers PII, PHI, financial data in S3 automatically

    TypeSensitive data discovery
    Pricing$0.10/bucket/month + $1/GB scanned (first 50 TB)
    AWS Security Hub

    AWS Security Hub

    Security Posture

    Unified dashboard across all security tools + compliance checks

    TypeFinding aggregation & compliance
    Pricing$0.0010/finding ingestion (first 10K/month/region)

    Side-by-Side Comparison

    $ diff --side-by-side
    CriteriaGuardDutyInspectorMacieSecurity Hub
    Primary FunctionThreat detectionVulnerability scanningData classificationFinding aggregation
    What It MonitorsCloudTrail, VPC Flow Logs, DNS, S3, EKS, RuntimeEC2, Lambda, ECR images, source code, IaCS3 bucket contentsFindings from GuardDuty, Inspector, Macie, Config, IAM AA
    Detection MethodML + threat intelligence feedsCVE database + SAST + SCAML-based pattern matchingStandards-based checks (CIS, FSBP, PCI)
    OutputThreat findings (severity 0-10)Vulnerability findings + SBOMSensitive data findings + classificationAggregated findings + compliance scores
    AgentlessYesYes (EC2, Lambda) / Agent for runtimeYesYes
    Multi-AccountYes (delegated admin)Yes (delegated admin)Yes (delegated admin)Yes (delegated admin + cross-region)
    Compliance MappingMITRE ATT&CKCIS, NIST, PCI-DSSGDPR, HIPAA, PCI-DSSCIS, FSBP, PCI-DSS, NIST
    2025 UpdateExtended Threat Detection expanded to EC2/ECS attack sequences (re:Invent 2025; ETD launched re:Invent 2024)SAST, SCA, IaC scanning - Terraform/CloudFormation (re:Inforce, June)No major update1-year historical trends, cross-region aggregation (re:Invent)

    When to Use What

    $ cat DECISION_GUIDE.md
    IFYou want to know if someone is actively attacking your AWS account
    THENGuardDuty
    WHYAnalyzes CloudTrail, VPC Flow Logs, and DNS in real-time to detect credential compromise, crypto mining, C2 communication, and multi-stage attack sequences.
    IFYou want to find unpatched software vulnerabilities before attackers do
    THENInspector
    WHYContinuously scans EC2, Lambda, and ECR for CVEs. Now includes source code scanning (SAST) and IaC scanning for Terraform/CloudFormation.
    IFYou need to know where sensitive data (PII, PHI, API keys) lives in S3
    THENMacie
    WHYUses ML to automatically discover and classify sensitive data across all your S3 buckets. Essential for GDPR, HIPAA, and PCI-DSS compliance.
    IFYou want a single dashboard to see your overall security posture
    THENSecurity Hub
    WHYAggregates findings from all three services plus Config and third-party tools. Scores you against CIS, FSBP, and PCI standards.
    IFYou are starting from scratch and can only enable one service
    THENGuardDuty
    WHYHighest immediate value. No configuration needed - enable it and it starts detecting threats within minutes. Everything else builds on top.

    Security Insights

    They are complementary, not competing

    The most common mistake is thinking you need to choose one. GuardDuty detects threats, Inspector finds vulnerabilities, Macie protects data, Security Hub ties them together. Enable all four.

    GuardDuty now detects multi-stage attacks

    Extended Threat Detection (launched re:Invent 2024, expanded to EC2/ECS at re:Invent 2025) uses ML to correlate events into attack sequences - detecting lateral movement, privilege escalation, and data exfiltration as a single finding.

    Inspector expanded beyond CVEs

    Inspector now includes SAST (source code scanning), SCA (dependency analysis), and IaC scanning for Terraform and CloudFormation templates. It is no longer just a vulnerability scanner.

    Security Hub historical data changed the game

    With up to 1 year of trend data and period-over-period analysis, Security Hub is now a proper security posture management (CSPM) tool, not just a finding aggregator.

    Key Takeaways

    $ cat SUMMARY.md
    1.Enable all four services - they solve different problems and feed into each other
    2.GuardDuty is the highest-value first step: zero config, immediate threat visibility
    3.Security Hub is the single pane of glass that makes everything actionable
    4.Inspector expanded to SAST + IaC scanning in 2025 - it is now a full AppSec tool
    5.Use delegated administrator in AWS Organizations to manage all four centrally
    Threat DetectionVulnerabilityComplianceSIEM

    Need Architecture Guidance?

    These comparisons are a starting point. Every architecture is different. Contact us for tailored AWS security assessments and architectural guidance.

    All ComparisonsGet in Touch