AWS Certified Security – Specialty — Question 144

A Security Engineer has several thousand Amazon EC2 instances split across production and development environments. Each instance is tagged with its environment. The Engineer needs to analyze and patch all the development EC2 instances to ensure they are not currently exposed to any common vulnerabilities or exposures (CVEs).
Which combination of steps is the MOST efficient way for the Engineer to meet these requirements? (Choose two.)

Answer options

• A. Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
• B. Install the Amazon Inspector agent on all development instances. Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.
• C. Install the Amazon Inspector agent on all development instances. Configure Inspector to perform a scan using this CVE rule package on all instances tagged as being in the development environment.
• D. Install the Amazon EC2 System Manager agent on all development instances. Issue the Run command to EC2 System Manager to update all instances.
• E. Use AWS Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.

Correct answer: C, D

Explanation

Option C is correct because it leverages Amazon Inspector's built-in CVE rule package to efficiently scan and identify vulnerabilities in the development instances. Option D is also correct as it utilizes EC2 System Manager to update all instances in a centralized manner, ensuring they are all patched. The other options are less efficient as they either require manual checks (A) or do not utilize the most effective tools for vulnerability management (B, E).