AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company experienced a breach that affected several applications in its on-premises data center. The attacker took advantage of vulnerabilities in the custom applications that were running on the servers. The company is now migrating its applications to run on Amazon EC2 instances. The company wants to implement a solution that actively scans for vulnerabilities on the EC2 instances and sends a report that details the findings.
Which solution will meet these requirements?
Other
Community
UAnonymous
A
Deploy AWS Shield to scan the EC2 instances for vulnerabilities. Create an AWS Lambda function to log any findings to AWS CloudTrail.
B
Deploy Amazon Macie and AWS Lambda functions to scan the EC2 instances for vulnerabilities. Log any findings to AWS CloudTrail.
C
Turn on Amazon GuardDuty. Deploy the GuardDuty agents to the EC2 instances. Configure an AWS Lambda function to automate the generation and distribution of reports that detail the findings.
D
Turn on Amazon Inspector. Deploy the Amazon Inspector agent to the EC2 instances. Configure an AWS Lambda function to automate the generation and distribution of reports that detail the findings.
Explanation:
Explanation
Correct Answer: D - Turn on Amazon Inspector. Deploy the Amazon Inspector agent to the EC2 instances. Configure an AWS Lambda function to automate the generation and distribution of reports that detail the findings.
Why this is correct:
-
Amazon Inspector is specifically designed for vulnerability assessment and security scanning of EC2 instances and container images. It actively scans for vulnerabilities, including those in custom applications running on EC2 instances.
-
Amazon Inspector agents can be deployed to EC2 instances to perform deep inspection of the operating system, applications, and network configurations.
-
AWS Lambda integration can be used to automate report generation and distribution based on Inspector findings.
Why other options are incorrect:
-
A. AWS Shield: This is a DDoS protection service, not a vulnerability scanning service. It protects against distributed denial-of-service attacks, not application vulnerabilities.
-
B. Amazon Macie: This is a data security and data privacy service that uses machine learning to discover and protect sensitive data. It's not designed for vulnerability scanning of EC2 instances.
-
C. Amazon GuardDuty: This is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. While it can detect threats, it's not primarily a vulnerability scanning service and doesn't require agents to be deployed to EC2 instances (it analyzes CloudTrail, VPC Flow Logs, and DNS logs).
Key AWS Services Comparison:
| Service | Primary Purpose | Agent Required | Best For |
|---|---|---|---|
| Amazon Inspector | Vulnerability assessment and security scanning | Yes (for EC2) | Finding vulnerabilities in EC2 instances and container images |
| Amazon GuardDuty | Threat detection and monitoring | No | Detecting suspicious activity and threats |
| AWS Shield | DDoS protection | No | Protecting against DDoS attacks |
| Amazon Macie | Data security and classification | No | Discovering and protecting sensitive data |
Additional Context: The company's specific requirement is to "actively scan for vulnerabilities on the EC2 instances" which matches exactly with Amazon Inspector's capabilities. The mention of "custom applications" aligns with Inspector's ability to assess application-level vulnerabilities.
Comments
Loading comments...