AWS Certified Solutions Architect – Professional (SAP-C02) — Question 519

A company has several AWS Lambda functions written in Python. The functions are deployed with the .zip package deployment type. The functions use a Lambda layer that contains common libraries and packages in a .zip file. The Lambda .zip packages and Lambda layer .zip file are stored in an Amazon S3 bucket.

The company must implement automatic scanning of the Lambda functions and the Lambda layer to identify CVEs. A subset of the Lambda functions must receive automated code scans to detect potential data leaks and other vulnerabilities. The code scans must occur only for selected Lambda functions, not all the Lambda functions.

Which combination of actions will meet these requirements? (Choose three.)

Answer options

• A. Activate Amazon Inspector. Start automated CVE scans.
• B. Activate Lambda standard scanning and Lambda code scanning in Amazon Inspector.
• C. Enable Amazon GuardDuty. Enable the Lambda Protection feature in GuardDuty.
• D. Enable scanning in the Monitor settings of the Lambda functions that need code scans.
• E. Tag Lambda functions that do not need code scans. In the tag, include a key of InspectorCodeExclusion and a value of LambdaCodeScanning.
• F. Use Amazon Inspector to scan the 3 bucket that contains the Lambda .zip packages and the Lambda layer .zip file for code scans.

Correct answer: A, B, E

Explanation

Amazon Inspector is the native AWS service designed for automated vulnerability scanning of AWS Lambda functions and layers, requiring both standard scanning (for CVEs) and code scanning (for custom code vulnerabilities) to be enabled. To restrict code scans to only a specific subset of Lambda functions, you must use the exclusion tag 'InspectorCodeExclusion' with the value 'LambdaCodeScanning' on the functions you want to skip. Other options, such as GuardDuty or S3 bucket scanning, do not provide the package and code-level vulnerability analysis required for Lambda functions.