diff --git a/knowledge base/cloud computing/aws/README.md b/knowledge base/cloud computing/aws/README.md
index b94b064..6928834 100644
--- a/knowledge base/cloud computing/aws/README.md
+++ b/knowledge base/cloud computing/aws/README.md
@@ -3,7 +3,11 @@
1. [Networking](#networking)
1. [Services](#services)
1. [CloudWatch](#cloudwatch)
-1. [Config](#config)
+ 1. [Config](#config)
+ 1. [Detective](#detective)
+ 1. [GuardDuty](#guardduty)
+ 1. [Inspector](#inspector)
+ 1. [Security Hub](#security-hub)
1. [Resource constraints](#resource-constraints)
1. [Access control](#access-control)
1. [Further readings](#further-readings)
@@ -30,15 +34,19 @@ networks. They can communicate with services outside the VPC, but cannot receive
## Services
-| Service | Description |
-| ------------ | --------------------------------------------- |
-| [CloudWatch] | Observability (logging, monitoring, alerting) |
-| [Config] | FIXME |
-| [EC2] | Virtual machines |
-| [ECR] | Container registry |
-| [EKS] | Kubernetes clusters |
-| [S3] | Storage |
-| [Sagemaker] | Machine learning |
+| Service | Description |
+| -------------- | --------------------------------------------- |
+| [CloudWatch] | Observability (logging, monitoring, alerting) |
+| [Config] | Compliance |
+| [Detective] | FIXME |
+| [EC2] | Virtual machines |
+| [ECR] | Container registry |
+| [EKS] | Kubernetes clusters |
+| [GuardDuty] | Threat detection |
+| [Inspector] | FIXME |
+| [S3] | Storage |
+| [Sagemaker] | Machine learning |
+| [Security Hub] | Aggregator for security findings |
### CloudWatch
@@ -53,14 +61,19 @@ Metrics only exist in the region in which they are created.
metrics to CloudWatch with no charge.
This feature is automatically enabled by default when one starts using one of these services.
-## Config
+### Config
+
+FIXME
Compliance service for assessing and auditing AWS resources.
-Records and monitors resource configurations.
-
-Uses rules to evaluate whether the resources comply. Marks them with the evaluation result (_compliant_,
-_non-compliant_).
+Provides an inventory of resources.
+Records and monitors resource configurations and their changes.
+The data is stored in a bucket (default name `config-bucket-{aws-account-number}`)
+Changes can be streamed to 1 SNS topic for notification purposes.
+Uses _rules_ to evaluate whether the resources configurations comply.
+Rule evaluation is done once every time a configuration changes, or periodically.
+Resources are marked with the evaluation result (_compliant_, _non-compliant_).
Custom rules can be used to evaluate for uncommon requirements.
Custom rules leverage lambda functions.
@@ -72,6 +85,62 @@ Defined as YAML templates.
Immutable: users cannot make changes without updating the whole rule package.
Sample templates for compliance standards and benchmarks are available.
+### Detective
+
+FIXME
+
+Uses ML and graphs to try and identify the root cause of security issues.
+Creates visualizations with details and context by leveraging events from VPC Flow Logs, CloudTrail and GuardDuty.
+
+### GuardDuty
+
+FIXME
+
+Threat detection service.
+
+It continuously monitors accounts and workloads for malicious activity and delivers security findings for visibility and
+remediation.
+Done by pulling streams of data from CloudTrail, VPC Flow Logs or EKS.
+
+Member accounts can administer GuardDuty by delegation if given the permissions to do so.
+
+_Findings_ are **potential** security issues for malicious events.
+Those are also sent to EventBridge for notification (leveraging SNS).
+Each is assigned a severity value (0.1 to 8+).
+
+_Trusted IP List_ is a whitelist of **public IPs** that will be ignored by the rules.
+_Threat IP List_ is a blacklist of **public IPs and CIDRs** that will be used by the rules.
+
+### Inspector
+
+FIXME
+
+### Security Hub
+
+FIXME
+
+Aggregator of findings for security auditing.
+
+> Uses [Config] to check resources' configuration by leveraging compliancy rules.
+
+Security standards are offered as ret of rules for [Config].
+
+Data can be aggregated from different regions.
+If the integration is enabled, findings from AWS services ([GuardDuty]) are used too within 5 minutes on average, while
+ones from 3rd parties can take longer.
+
+Data can be imported from or exported to 3rd parties if the integration is enabled.
+Kinda acts as a middle layer for AWS accounts.
+
+Findings are consumed in _AWS Security Finding Format_ (ASFF).
+Those are automatically updated and deleted. Findings after 90 days are automatically deleted even if **not** resolved.
+
+Can use custom insights.
+
+Custom actions can be sent to EventBridge for automation.
+
+Member accounts can administer Security Hub by delegation if given the permissions to do so.
+
## Resource constraints
| Data type | Component | Summary | Description | Type | Length | Pattern | Required |
@@ -116,6 +185,8 @@ From [Using service-linked roles]:
- [Subnets for your VPC]
- [Introduction to AWS IAM AssumeRole]
- [AWS JSON policy elements: Principal]
+- [What is AWS Config?]
+- [AWS Config tutorial by Stephane Maarek]
[cloudwatch]: #cloudwatch
[config]: #config
+[detective]: #detective
+[guardduty]: #guardduty
+[inspector]: #inspector
+[security hub]: #security-hub
[ec2]: ec2.md
@@ -143,7 +218,9 @@ From [Using service-linked roles]:
[subnets for your vpc]: https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html
[using service-linked roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
[what is amazon vpc?]: https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
+[what is aws config?]: https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html
[what is cloudwatch]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html
+[aws config tutorial by stephane maarek]: https://www.youtube.com/watch?v=qHdFoYSrUvk
[introduction to aws iam assumerole]: https://aws.plainenglish.io/introduction-to-aws-iam-assumerole-fbef3ce8e90b