AWS Security Hub vs GuardDuty

Security posture in AWS plays a key role. While security services might sound similar, each plays a different role in maintaining a secure account.

As AWS offers new services, maintaining an understanding of what each does becomes a challenge.

A common question that comes is the differences between Security Hub and GuardDuty. Whether I need to deploy one of them or are both required?

This blog post will cover the differences in detail.

GuardDuty and Security Hub integration flow

What is GuardDuty?

GuardDuty is a fully managed threat detection service where we don’t need to configure any additional service. A threat detection service continuously monitors services and notifies of suspicious findings.

The agent less (by agent less we mean no additional installation) aspect makes it very unique compared to any other third-party vendors. This means it operates behind the scenes, for example, to monitor IAM activities we don't need to configure CloudTrail.

What services can I monitor with GuardDuty?

  • EKS
  • EC2
  • Lambda
  • RDS
  • S3
  • CloudTrail
  • VPC Flow Logs
  • DNS logs
It functions as a detection service!

What is AWS Security Hub?

Security Hub functions as a reporting service.

Think of it as an easy-to-use interface where findings from various sources are displayed.

These findings can be from GuardDuty, Inspector, AWS Config, or any other service. The easy-to-use interface and aggregation from multiple regions make Security Hub a key service to enable if you have GuardDuty turned on.

One huge unique aspect of Security Hub is the fact it can deploy security standards such as:

  • CIS AWS Foundations Benchmark v1.40
  • NIST SP 800-53 Rev.5

Behind the scenes, these are AWS Config rules managed by Security Hub.


  • Security Hub functions more as a reporting service where it aggregates data from different sources.
  • GuardDuty is a detection service. It scans EC2 Volume, CloudTrail, and VPC Flow log but you cannot send other service data into it.
  • Security Hub can deploy AWS Config rules which are part of the security standards as GuardDuty does not.
  • GuardDuty can analyse RDS, VPC Flow logs, S3. CloudTrail and more resources.
  • Both are essential to ensure a better account overview.
  • If you are operating in a landing zone, both services can operate in an organization mode, where new accounts are automatically enrolled.