AWS Certified Security – Specialty (SCS-C02) — Question 139

A company wants to implement host-based security for Amazon EC2 instances and containers in Amazon Elastic Container Registry (Amazon ECR). The company has deployed AWS Systems Manager Agent (SSM Agent) on the EC2 instances. All the company's AWS accounts are in one organization in AWS Organizations. The company will analyze the workloads for software vulnerabilities and unintended network exposure. The company will push any findings to AWS Security Hub, which the company has configured for the organization.

The company must deploy the solution to all member accounts, including new accounts, automatically. When new workloads come online, the solution must scan the workloads.

Which solution will meet these requirements?

Answer options

• A. Use SCPs to configure scanning of EC2 instances and ECR containers for all accounts in the organization.
• B. Configure a delegated administrator for Amazon GuardDuty for the organization. Create an Amazon EventBridge rule to initiate analysis of ECR containers
• C. Configure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.
• D. Configure a delegated administrator for Amazon Inspector for the organization. Create an AWS Config rule to initiate analysis of ECR containers.

Correct answer: C

Explanation

The correct answer is C because configuring a delegated administrator for Amazon Inspector allows the organization to manage and automate vulnerability assessments across all member accounts, including new ones. Options A and B do not specifically address the scanning requirement for workloads or are not focused on the automatic scanning of new accounts. Option D lacks the automatic scanning feature necessary for new workloads.