Security Operations Center on AWS: Designing a Modern Cloud SOC

Cloud-native security signals are increasingly central to what enterprise SOCs handle day-to-day. Yet, many security operations teams are still triaging them with tools and playbooks designed primarily for on-premises environments.
‍

For organizations running serious workloads on AWS, the most effective approach is to rethink the Security Operations Center around AWS’s native security ecosystem, often complementing rather than replacing an existing SIEM investment.
‍

This guide walks through what a modern Security Operations Center on AWS actually looks like in 2026: the services that power it, the operating models that scale, where SIEM and SOAR still fit, and how an AWS-native SOC differs from legacy architectures.

What Is a Security Operations Center (SOC) on AWS?

A Security Operations Center on AWS is a continuous monitoring, threat detection, and incident response capability built natively inside the AWS environment. It uses AWS-native security services as its primary data plane rather than treating AWS as just another log source.
‍

Where a traditional SOC sits outside the environment it protects and pulls telemetry across a network boundary, a cloud SOC operates inside AWS. It analyzes API calls, IAM behavior, and workload activity through services like Amazon GuardDuty, AWS Security Hub, AWS CloudTrail, and AWS Security Incident Response.
‍

The distinction matters because AWS environments work differently from the on-premises data centers that traditional SOCs were designed for. Workloads are ephemeral; an EC2 instance or Lambda function may exist for minutes. Identity is dynamic and policy-driven through AWS IAM rather than static directory groups.

Most large customers run dozens or hundreds of AWS accounts under AWS Organizations, each with its own surface area. The unit of analysis shifts from "host on network" to "identity performing action on resource," and the SOC must be designed around that shift.

Why Do Traditional SOC Approaches Struggle in AWS Environments?

Legacy SIEM platforms were built for static perimeter networks: known hosts, known subnets, and predictable east-west traffic. AWS breaks several of those assumptions. Resources spin up and disappear on autoscaling. Network paths are defined by security groups and VPC routing tables rather than physical topology. The perimeter is, increasingly, an IAM trust policy.
‍

The visibility gaps this creates are significant. Traditional SOCs are fluent in firewall logs and endpoint telemetry, but the events that matter most in AWS are not standard log sources for legacy tooling. These include:

• IAM policy changes
• S3 bucket configuration drift
• KMS key access
• Lambda invocations
• STS token assumptions

‍

The result can be an SOC that sees much of what’s happening to the cloud, but less of what’s happening inside it.
‍

Alert volume compounds the problem. Cloud-native sources can generate large numbers of findings. Without correlation tuned to AWS semantics, analysts spend disproportionate time on noise. This isn’t an argument against existing SIEM investments like Splunk, Microsoft Sentinel, or Google SecOps. It’s an argument for putting AWS-native detection and triage at the source of the signal, so that the SIEM works on enriched, pre-correlated data rather than raw events.
‍

Finally, there’s the AWS shared responsibility model. AWS secures the cloud; the customer secures what runs in it. A SOC that doesn’t internalize that boundary risks spending time on threats AWS has already mitigated while overlooking configuration, identity, and workload issues on the customer side.

The AWS Native Security Services That Power a Modern SOC

A modern cloud SOC on AWS is built on a small, deliberately chosen set of native services. The goal isn’t to use every AWS security tool, but to assemble a coherent detection, aggregation, investigation, and response pipeline.

Amazon GuardDuty: Continuous Threat Detection

GuardDuty is the baseline detection layer in nearly every AWS SOC. By default, it continuously analyzes three foundational data sources: AWS CloudTrail management events, VPC Flow Logs, and Route 53 Resolver DNS query logs. This surfaces findings such as compromised credentials, cryptocurrency mining, reconnaissance, and command-and-control activity.
‍

GuardDuty uses AWS threat intelligence, curated feeds, malicious IP and domain indicators, file hashes, and machine learning models to identify suspicious activity right out of the box. Beyond the foundational layer, GuardDuty offers optional protection plans that extend detection to specific workload types:

• S3 Protection: Object-level activity monitoring.
• EKS Protection: Kubernetes audit log analysis.
• Runtime Monitoring: Operating-system-level behavior on EC2, ECS, and EKS.
• Malware Protection: Three sub-features cover different surfaces: Malware Protection for EC2 performs agentless scans of EBS volumes attached to EC2 instances and container workloads; Malware Protection for S3 scans newly uploaded objects to selected S3 buckets; and Malware Protection for AWS Backup scans AWS Backup–protected resources, including EBS snapshots, EC2 AMIs, and S3 Recovery Points.
• RDS Protection: Login anomaly detection on Aurora and RDS.
• Lambda Protection: Network activity analysis for serverless functions.

‍

AWS also includes GuardDuty Extended Threat Detection at no additional cost. It correlates signals across foundational data sources, AWS resources, and time to identify multi-stage attack sequences that would otherwise appear as unrelated lower-severity findings.
‍

What makes GuardDuty foundational is what it doesn’t require: no agents, no log shipping, and no deployment disruption. You enable it across an organization through delegated administration and get meaningful threat detection within hours.

AWS Security Incident Response: Managed Response and Triage

Launched for general availability at re: Invent 2024, AWS Security Incident Response supports preparation, response, and recovery from AWS security events. It addresses three problems most security teams face simultaneously: alert fatigue, lack of specialized in-house incident response capacity, and slow coordination during an active incident.
‍

AWS Security Incident Response reviews and triages security alerts from Amazon GuardDuty and AWS Security Hub CSPM, filtering expected behavior based on customer-specific context (known IP addresses, IAM entities, baseline activity). When it identifies a true positive, it automatically opens a case and notifies the configured Incident Response Team, which may include internal stakeholders and external partners such as MSPs.
‍

Three capabilities make it more than just another alert pipeline:

1. 24/7 Access to the AWS Customer Incident Response Team (CIRT): Cases can be escalated to AWS’s own incident response engineers with a 15-minute first response target. Under these service terms, AWS responders may access relevant CloudTrail, VPC, DNS, and S3 log history when needed for investigation. This complements your logging strategy, where CloudTrail trails, VPC Flow Logs, Route 53 logs, WAF, ELB, and application logs remain essential for complete compliance.
   
   
2. AI-Assisted Investigation: Includes an AI Investigative Agent that helps collect and correlate evidence across AWS data sources to guide containment and support customers through the incident lifecycle.
   
   
3. Containment Actions: With explicit customer permission and the required IAM and CloudFormation setup, the service can perform supported containment actions directly in the customer’s accounts, compressing the gap between detection and response.

AWS Security Hub and Security Hub CSPM: Centralized Findings

AWS now distinguishes between two capabilities under the Security Hub umbrella, and the difference matters for anyone designing an AWS SOC in 2026:

• AWS Security Hub CSPM: The posture management and compliance service formerly known as Security Hub. It processes findings in the AWS Security Finding Format (ASFF), performs continuous account-level checks, calculates security scores, aggregates findings, and runs compliance benchmarks (AWS Foundational Security Best Practices, CIS AWS Foundations Benchmark v5.0, PCI DSS, NIST 800-53). It supports automation rules and EventBridge-based workflows and remains the engine behind most posture management and compliance reporting in AWS environments.
  
  
• AWS Security Hub: The unified cloud security solution, generally available since December 2025, is built on the Open Cybersecurity Schema Framework (OCSF). It correlates signals from GuardDuty, Inspector, Macie, and Security Hub CSPM to surface exposures, prioritize risk, and drive response workflows across accounts and sources.

‍

For mature AWS SOC designs in 2026, using both capabilities together is a strong reference architecture: Security Hub CSPM for compliance and posture, and the newer Security Hub capabilities for signal correlation and prioritization.

AWS CloudTrail: The Audit Log Layer

CloudTrail records a history of AWS API activity across supported services, including calls made through the console, CLI, SDKs, and AWS services themselves. For a SOC, it is the primary audit source for understanding who performed which action, against which resource, from where, and when.
‍

Every meaningful AWS investigation ultimately relies on CloudTrail data, and most upstream detection depends on it. A multi-account organization typically aggregates CloudTrail data into a dedicated log archive account with restricted access to maintain forensic integrity.

Amazon Security Lake: Centralized Security Data

Amazon Security Lake addresses a common problem: security data lives in too many places, in too many formats. Security Lake centralizes logs from AWS services, on-premises sources, and SaaS providers into a customer-owned data lake on S3, normalized to the Open Cybersecurity Schema Framework (OCSF).
‍

For SIEM teams, that means ingestion without duplication and consistent schemas. For detection engineering and threat hunting, it means a single queryable surface via Amazon Athena or OpenSearch without paying high SIEM ingest costs for every byte of log data.

Supporting Services

Around that core, a few additional services round out a production AWS SOC:

• Amazon Detective: Automates investigation workflows with entity graphs and timelines built from GuardDuty findings and IAM context.
  
  
• AWS IAM Access Analyzer: Identifies over-permissioned roles, external access, and unused permissions.
  
  
• Amazon Inspector: Runs continuous vulnerability scanning across EC2 instances, container images in ECR (and in CI/CD tools), AWS Lambda functions, and code repositories (SAST, SCA, and IaC).
  
  
• AWS Config: Tracks configuration changes and compliance drift, where early signals of misconfiguration or insider misuse often appear.

SOC Operating Models on AWS: Centralized, Decentralized, or Hybrid?

One of the questions most cloud SOC content skips entirely is how the SOC is structured across accounts and business units. AWS Organizations and delegated administration give you three workable models, and the choice has real implications for incident response.

The key design decision underneath this isn’t where the dashboards live; it’s where incident response actually happens. Centralized models provide consistency and a single set of playbooks, but require the central team to understand every workload.

Decentralized models keep response close to the people who know the application but make it hard to see cross-business-unit attack patterns. Hybrid models are usually the right answer for organizations past a few hundred engineers, but only if the central layer has clear authority during incidents, not just visibility.
‍

AWS Security Incident Response team membership can include internal stakeholders and external partners such as MSPs or ISVs. The surrounding account, organization, and escalation model should be designed to match the customer’s centralized, decentralized, or hybrid SOC structure, so that the right people are on the right cases.

SIEM and SOAR in an AWS SOC: What You Actually Need

A frequent question is whether AWS-native services replace the need for a SIEM. They don’t.

GuardDuty, Security Hub, and Security Incident Response handle detection, aggregation, and response orchestration well within AWS. A SIEM does something different: long-term retention, cross-source correlation (AWS + identity provider + endpoint + SaaS + on-prem), custom detection logic, and the broader investigation surface that compliance and threat hunting demand. Most organizations end up with both: AWS-native services for cloud-native detection and managed response, and a SIEM for correlation across the wider estate.
‍

On the AWS-native side, an OpenSearch-based SIEM integrates tightly with Security Lake and is highly cost-effective. On the third-party side, Splunk, Microsoft Sentinel, and Google SecOps all integrate cleanly with Security Hub and Security Lake via OCSF-normalized data.
‍

SOAR sits on top of that stack. Where a SIEM tells you what’s happening, a SOAR platform orchestrates the response: isolating a compromised instance, revoking IAM credentials, opening a ticket, and capturing the artifacts needed for post-incident review. Done well, SOAR is the single biggest lever for reducing mean time to respond (MTTR).
‍

The modern AWS SOC workflow follows this order: GuardDuty (detection) ➔ Security Hub / CSPM (aggregation) ➔ AWS Security Incident Response (managed triage) ➔ Security Lake (data layer) ➔ SIEM (correlation) ➔ SOAR (response orchestration).

Building vs. Buying: In-House SOC vs. Managed SOC on AWS

Standing up a SOC capable of operating at the level described above is non-trivial. Most organizations face a genuine build-vs-buy decision.

Organizations with data centers or mature security teams, significant scale, and unique detection requirements often build. Organizations that need 24/7 coverage immediately, lack deep AWS security expertise in-house, or want to avoid the hiring market for senior cloud security analysts increasingly buy, at least for the always-on monitoring layer, while keeping incident response leadership internal.
‍

What to look for in a managed SOC provider for AWS specifically: native-first architecture (not a generic SIEM with AWS as one connector), AWS partner status with security competency, clear handoff and escalation procedures, and direct integration with AWS Security Incident Response so the partner is working inside AWS’s incident workflow rather than running a parallel one.

How CloudZone Builds and Operates a SOC on AWS?

As an AWS Premier Tier Services Partner holding the AWS Security Consulting Competency and AWS Managed Services Provider Competency, CloudZone designs, implements, and operates AWS-native Security Operations Centers for customers across regulated and high-scale environments.

• Detection Layer: We enable GuardDuty organization-wide via delegated administration and select protection plans appropriate to your workload mix (S3, EKS, runtime monitoring, RDS, Lambda, Malware Protection). The GuardDuty event stream is forwarded into our Opsgenie-based incident management system, where our operations center inspects findings, applies enrichment against customer-specific context, and triggers the on-call response workflow.
  
  
• Response Layer: Our standard design enables AWS Security Incident Response in a dedicated AWS account that CloudZone operates on the customer’s behalf, with CloudZone engineers added directly to your Incident Response Team membership. When AWS Security Incident Response triages a finding or you escalate an active incident, the case is automatically routed into CloudZone’s operations center. Customers get the benefit of AWS’s automated triage, AWS CIRT’s 24/7 expertise, and a partner team that’s already context-loaded on their environment, all working off the same case in the AWS console.
  
  
• 24/7 Operations with Defined SLAs: Findings stream continuously into Opsgenie under agreed SLAs. Regular service reviews cover finding volumes, response performance, posture trends from Security Hub CSPM benchmarks, and strategic recommendations for the next iteration of your security posture.

‍