What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

AWS GuardDuty vs Security Hub: Threat Detection vs Compliance Aggregation

GuardDuty and Security Hub are frequently described as competing alternatives when they are actually different layers of the same monitoring architecture. Choosing one over the other is like choosing between a smoke detector and a fire inspection report — they answer different questions and are most valuable when both are present. Understanding what each service actually does makes the relationship obvious.

This guide compares GuardDuty and Security Hub on the dimensions that matter for operational decision-making: what they monitor, what types of findings they generate, how they integrate with each other, and what each one cannot do that the other can.

What GuardDuty Does

GuardDuty is a threat detection service. It analyzes operational data sources — CloudTrail management events, VPC Flow Logs, DNS query logs — and applies machine learning models and threat intelligence to identify behavioral anomalies that indicate active threats. GuardDuty asks: is something bad happening right now?

Every GuardDuty finding represents a detected threat or strong indicator of compromise. CryptoCurrency:EC2/BitcoinTool.B means an instance is actively communicating with a mining pool. UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B means a console login occurred from a suspicious IP. These findings are actionable immediately — they indicate ongoing events that require investigation or containment.

GuardDuty does not evaluate whether your account is configured securely. It does not tell you that your S3 bucket has public access enabled, that your root account lacks MFA, or that your security groups are overly permissive. It tells you what is actively happening, not what could go wrong.

What Security Hub Does

Security Hub is a findings aggregator and compliance evaluator. It serves two distinct functions. First, it collects and normalizes findings from GuardDuty, Inspector, IAM Access Analyzer, Macie, Firewall Manager, and dozens of third-party integrations into the AWS Security Finding Format (ASFF) and presents them in a unified dashboard. Second, it runs automated compliance checks against security standards — AWS Foundational Security Best Practices, CIS AWS Foundations Benchmark, PCI DSS, NIST 800-53 — and generates findings for controls that your environment fails.

Security Hub asks two questions: what security findings exist across all my tools? and does my environment meet these security standards? It generates compliance findings (your root account lacks MFA, your S3 bucket has public access, your CloudTrail is not enabled) that represent configuration weaknesses rather than active threats.

How They Work Together

When both services are enabled in the same account, GuardDuty findings flow automatically into Security Hub. This means Security Hub becomes the single pane of glass for both active threat findings (from GuardDuty) and compliance findings (from Security Hub's own standards evaluation). The operational benefit is significant: instead of checking two consoles, your security team monitors one.

The ASFF normalization that Security Hub applies to GuardDuty findings enables cross-service correlation. A GuardDuty finding about unusual credential usage, a Security Hub finding about overly permissive IAM policies, and an IAM Access Analyzer finding about external access to a resource can all appear in the same Security Hub investigation view — providing context that no individual service can offer alone.

EventBridge integration covers all Security Hub findings, including those imported from GuardDuty. A single EventBridge rule in Security Hub can route all high-severity findings — regardless of source service — to your alerting pipeline. This simplifies your automation architecture considerably compared to building separate EventBridge integrations for each security service.

Where Each Falls Short

GuardDuty cannot evaluate configuration state. If your environment has security misconfigurations that have not yet been exploited — open security groups, missing MFA, disabled CloudTrail — GuardDuty generates no findings because nothing bad is actively happening. The threat is potential, not realized.

Security Hub cannot detect behavioral threats. It evaluates configuration snapshots against static standards. A compromised credential behaving exactly like a legitimate user generates no Security Hub findings — because the configuration hasn't changed. The compliance score can be 100% while an active intrusion is underway.

Neither service provides billing anomaly detection, SES reputation monitoring, or service quota monitoring. These dimensions of account health require separate tooling — either native AWS services (Cost Anomaly Detection, CloudWatch SES metrics) or a platform like Vigilare that aggregates all account health signals.

The Right Architecture

Enable both services. Use GuardDuty for threat detection and Security Hub as the aggregation layer for all security findings including GuardDuty. Configure Security Hub's compliance standards to evaluate your security configuration continuously. Route all HIGH and CRITICAL Security Hub findings to your on-call alerting pipeline via EventBridge. The two services together cover the full spectrum from active threat detection to configuration compliance — neither is sufficient alone.

FAQ

Do I need both GuardDuty and Security Hub?

Yes, if you want complete security monitoring. GuardDuty provides threat detection that Security Hub cannot. Security Hub provides compliance evaluation and findings aggregation that GuardDuty cannot. Disabling either leaves a meaningful gap in your monitoring coverage.

Can Security Hub replace GuardDuty?

No. Security Hub's compliance checks evaluate configuration state but do not detect active threats. Without GuardDuty feeding findings into Security Hub, your Security Hub installation has no behavioral threat detection capability. Security Hub shows you that MFA is disabled — GuardDuty shows you that someone is actively exploiting that gap.

Does enabling Security Hub automatically enable GuardDuty?

No. They are independent services that must be enabled separately. Enabling Security Hub will automatically configure the integration to receive GuardDuty findings if GuardDuty is already enabled, but it will not enable GuardDuty itself. Enable GuardDuty independently in all regions and accounts, then enable Security Hub to receive and aggregate those findings.

How does the Security Hub security score relate to GuardDuty findings?

Security Hub's security score is calculated from its compliance standard checks (passed controls / total controls), not from GuardDuty finding counts. GuardDuty findings are imported into Security Hub and visible in the dashboard, but they do not factor into the compliance score calculation. A score of 100% in Security Hub is possible even with active GuardDuty findings — the score reflects configuration compliance, not threat status.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO