AWS Certified Security – Specialty (SCS-C02) — Question 247

A security engineer is designing security controls for a fleet of Amazon EC2 instances that run sensitive workloads in a VPC. The security engineer needs to implement a solution to detect and mitigate software vulnerabilities on the EC2 instances.

Which solution will meet this requirement?

Answer options

• A. Scan the EC2 instances by using Amazon Inspector. Apply security patches and updates by using AWS Systems Manager Patch Manager.
• B. Install host-based firewall and antivirus software on each EC2 instance. Use AWS Systems Manager Run Command to update the firewall and antivirus software.
• C. Install the Amazon CloudWatch agent on the EC2 instances. Enable detailed logging. Use Amazon EventBridge to review the software logs for anomalies.
• D. Scan the EC2 instances by using Amazon GuardDuty Malware Protection. Apply security patches and updates by using AWS Systems Manager Patch Manager.

Correct answer: A

Explanation

Option A is correct because Amazon Inspector provides vulnerability assessment capabilities, and AWS Systems Manager Patch Manager allows for the application of necessary updates, making it an effective solution. Option B relies on third-party software, which may not be as integrated or efficient. Option C focuses on logging and anomaly detection rather than directly addressing vulnerabilities. Option D incorrectly uses Amazon GuardDuty for scanning, which is not its primary function, and still requires patch management through Patch Manager.