The biggest pitfall when first designing security detection in the cloud is the misconception that "all security services look the same." Macie, GuardDuty, and Inspector are not distinguishable by name alone in what they detect, and the SAP-C02 exam is designed to exploit exactly this confusion. The key is that three services see completely different data in completely different ways. Macie looks at the content of data (is there a card number in the S3 object), GuardDuty looks at abnormal behavior (is the account doing something it doesn't normally do), and Inspector looks at software defects (does this EC2 have a known vulnerability).