AWS Certified Security – Specialty (SCS-C02) — Question 229

A company runs workloads on Amazon EC2 instances. The company needs to continually monitor the EC2 instances for software vulnerabilities and must display the findings in AWS Security Hub. The company must not install agents on the EC2 instances.

Which solution will meet these requirements?

Answer options

• A. Enable Amazon Inspector. Set the scan mode to hybrid scanning. Enable the integration for Amazon Inspector in Security Hub.
• B. Use Security Hub to enable the AWS Foundational Security Best Practices standard. Wait for Security Hub to generate the findings.
• C. Enable Amazon GuardDuty. Initiate on-demand malware scans by using GuardDuty Malware Protection. Enable the integration for GuardDuty in Security Hub.
• D. Use AWS Config managed rules to detect EC2 software vulnerabilities. Ensure that Security Hub has the AWS Config integration enabled.

Correct answer: A

Explanation

The correct answer is A because Amazon Inspector allows for hybrid scanning without the need for agents, and its findings can be integrated into AWS Security Hub. Options B, C, and D do not provide a solution that meets the requirement of not installing agents while ensuring continuous monitoring for software vulnerabilities.