AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 114

A company wants to ensure that their EC2 instances are secure. They want to be notified if any new vulnerabilities are discovered on their instances, and they also want an audit trail of all login activities on the instances.

Which solution will meet these requirements?

Answer options

• A. Use AWS Systems Manager to detect vulnerabilities on the EC2 instances. Install the Amazon Kinesis Agent to capture system logs and deliver them to Amazon S3.
• B. Use AWS Systems Manager to detect vulnerabilities on the EC2 instances. Install the Systems Manager Agent to capture system logs and view login activity in the CloudTrail console.
• C. Configure Amazon CloudWatch to detect vulnerabilities on the EC2 instances. Install the AWS Config daemon to capture system logs and view them in the AWS Config console.
• D. Configure Amazon Inspector to detect vulnerabilities on the EC2 instances. Install the Amazon CloudWatch Agent to capture system logs and record them via Amazon CloudWatch Logs.

Correct answer: D

Explanation

The correct answer is D because Amazon Inspector is specifically designed to assess vulnerabilities in EC2 instances, while the Amazon CloudWatch Agent effectively captures system logs and sends them to CloudWatch Logs for monitoring. Options A and B mention AWS Systems Manager, which does not directly provide vulnerability detection as Amazon Inspector does, and option C uses Amazon CloudWatch for vulnerability detection, which is not its primary function.