AWS Certified Security – Specialty (SCS-C02) — Question 266

A company is migrating container workloads from a data center to Amazon Elastic Container Service (Amazon ECS) clusters. The company must implement a solution to detect potential threats in the workloads and to improve the security posture of the container clusters.

Which solution will meet these requirements?

Answer options

• A. Configure Amazon Inspector on the VPC that is running the ECS clusters.
• B. Enable Amazon GuardDuty Runtime Monitoring on the ECS clusters.
• C. Audit Amazon ECS API access by using Amazon CloudWatch logs to identify unauthorized access.
• D. Create container clusters in the same VPC. Use VPC flow logs to centrally monitor network traffic.

Correct answer: B

Explanation

Amazon GuardDuty Runtime Monitoring is specifically designed to detect active, runtime threats in Amazon ECS workloads by analyzing operating system-level events and container behavior. Amazon Inspector focuses on vulnerability scanning rather than real-time threat detection, while VPC flow logs and CloudWatch API logs only provide network and administrative metadata. Therefore, enabling GuardDuty Runtime Monitoring is the most effective solution for detecting runtime threats within the container workloads.