AWS Certified Security – Specialty — Question 438

A company wants to implement host-based security for Amazon EC2 instances and containers in Amazon Elastic Container Registry (Amazon ECR). The company has deployed AWS Systems Manager Agent (SSM Agent) on the EC2 instances. All the company's AWS accounts are in one organization in AWS Organizations. The company will analyze the workloads for software vulnerabilities and unintended network exposure. The company will push any findings to AWS Security Hub, which the company has configured for the organization.

The company must deploy the solution to all member accounts, including new accounts, automatically. When new workloads come online, the solution must scan the workloads.

Which solution will meet these requirements?

Answer options

• A. Use SCPs to configure scanning of EC2 instances and ECR containers for all accounts in the organization.
• B. Configure a delegated administrator for Amazon GuardDuty for the organization. Create an Amazon EventBridge rule to initiate analysis of ECR containers.
• C. Configure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.
• D. Configure a delegated administrator for Amazon Inspector for the organization. Create an AWS Config rule to initiate analysis of ECR containers.

Correct answer: C

Explanation

Amazon Inspector is the native AWS service designed to scan Amazon EC2 instances and Amazon ECR images for software vulnerabilities and unintended network exposure. By configuring a delegated administrator for Amazon Inspector within AWS Organizations, the organization can automatically enable scanning for all existing and newly created member accounts. Amazon GuardDuty is a threat detection service, not a vulnerability scanner, and Service Control Policies (SCPs) cannot be used to configure vulnerability scanning.