AWS Certified Security – Specialty (SCS-C02) — Question 243

A company has used AWS Lambda functions to build an application on AWS. The company’s security engineer implemented Amazon Inspector and activated Lambda standard scanning and Lambda code scanning.

The security engineer reviews the Amazon Inspector console and learns that Amazon Inspector is not scanning some of the Lambda functions. The provided reason is that the scan eligibility expired.

What should the security engineer do to investigate the reason that the scans are failing?

Answer options

• A. Validate that the AmazonInspector2ServiceRolePolicy AWS managed policy grants permissions to access Lambda.
• B. Increase the timeout value of the Lambda functions to complete the scans successfully while the code is running.
• C. Build a custom runtime for the unscanned Lambda functions. Include the Amazon Inspector agent in the runtime.
• D. Determine whether the unscanned Lambda functions have been invoked in the last 90 days.

Correct answer: D

Explanation

The correct answer is D because Amazon Inspector only scans Lambda functions that have been invoked in the last 90 days. If a function has not been invoked within this time frame, it will be considered ineligible for scanning. The other options focus on permissions, timeout settings, or custom runtimes, which do not address the specific issue of scan eligibility related to invocation history.