AWS Certified Security – Specialty (SCS-C03) — Question 30

A security engineer is designing security controls for a fleet of Amazon EC2 instances that run sensitive workloads in a VPC. The security engineer needs to implement a solution to detect and mitigate software vulnerabilities on the EC2 instances.
Which solution will meet this requirement?

Answer options

• A. Scan the EC2 instances by using Amazon Inspector. Apply security patches and updates by using AWS Systems Manager Patch Manager.
• B. Install host-based firewall and antivirus software on each EC2 instance. Use AWS Systems Manager Run Command to update the firewall and antivirus software.
• C. Install the Amazon CloudWatch agent on the EC2 instances. Enable detailed logging. Use Amazon EventBridge to review the software logs for anomalies.
• D. Scan the EC2 instances by using Amazon GuardDuty Malware Protection. Apply security patches and updates by using AWS Systems Manager Patch Manager.

Correct answer: A

Explanation

Option A is correct because Amazon Inspector provides automated security assessments and helps identify vulnerabilities, while AWS Systems Manager Patch Manager allows for the application of necessary updates. Other options either do not adequately address vulnerability scanning (B, C) or use a service that is not primarily designed for vulnerability management (D).