AWS Certified Solutions Architect – Professional (SAP-C02) — Question 469

A company is deploying a new application on AWS. The application consists of an Amazon Elastic Kubernetes Service (Amazon EKS) cluster and an Amazon Elastic Container Registry (Amazon ECR) repository. The EKS cluster has an AWS managed node group.

The company's security guidelines state that all resources on AWS must be continuously scanned for security vulnerabilities.

Which solution will meet this requirement with the LEAST operational overhead?

Answer options

• A. Activate AWS Security Hub. Configure Security Hub to scan the EKS nodes and the ECR repository.
• B. Activate Amazon Inspector to scan the EKS nodes and the ECR repository.
• C. Launch a new Amazon EC2 instance and install a vulnerability scanning tool from AWS Marketplace. Configure the EC2 instance to scan the EKS nodes. Configure Amazon ECR to perform a basic scan on push.
• D. Install the Amazon CloudWatch agent on the EKS nodes. Configure the CloudWatch agent to scan continuously. Configure Amazon ECR to perform a basic scan on push.

Correct answer: B

Explanation

Amazon Inspector is a fully managed vulnerability management service that automatically and continuously scans AWS workloads, including Amazon EC2 instances (such as EKS nodes) and Amazon ECR container images, with minimal setup. AWS Security Hub aggregates and prioritizes security findings but does not natively scan container images or EC2 instances for vulnerabilities. Implementing third-party tools on EC2 or leveraging CloudWatch agents for scanning would introduce significant manual configuration and administrative overhead.