AWS Certified Solutions Architect – Associate (SAA-C03) — Question 318

A company experienced a breach that affected several applications in its on-premises data center. The attacker took advantage of vulnerabilities in the custom applications that were running on the servers. The company is now migrating its applications to run on Amazon EC2 instances. The company wants to implement a solution that actively scans for vulnerabilities on the EC2 instances and sends a report that details the findings.

Which solution will meet these requirements?

Answer options

• A. Deploy AWS Shield to scan the EC2 instances for vulnerabilities. Create an AWS Lambda function to log any findings to AWS CloudTrail.
• B. Deploy Amazon Macie and AWS Lambda functions to scan the EC2 instances for vulnerabilities. Log any findings to AWS CloudTrail.
• C. Turn on Amazon GuardDuty. Deploy the GuardDuty agents to the EC2 instances. Configure an AWS Lambda function to automate the generation and distribution of reports that detail the findings.
• D. Turn on Amazon Inspector. Deploy the Amazon Inspector agent to the EC2 instances. Configure an AWS Lambda function to automate the generation and distribution of reports that detail the findings.

Correct answer: D

Explanation

Amazon Inspector is a vulnerability management service that continuously scans AWS workloads, including Amazon EC2 instances, for software vulnerabilities and unintended network exposure. AWS Shield is designed for DDoS protection, Amazon Macie is for identifying and protecting sensitive data, and Amazon GuardDuty is a threat detection service rather than a dedicated vulnerability scanner. Therefore, combining Amazon Inspector with an AWS Lambda function to automate reporting is the correct solution.