A company's security compliance requirements state that all Amazon EC2 images must be sca…

Question

A company's security compliance requirements state that all Amazon EC2 images must be scanned for vulnerabilities and must pass a CVE assessment. A solutions architect is developing a mechanism to create security- approved AMIs that can be used by developers. Any new AMIs should go through an automated assessment process and be marked as approved before developers can use them. The approved images must be scanned every 30 days to ensure compliance.
Which combination of steps should the solutions architect take to meet these requirements while following best practices? (Choose two.)

Accepted Answer

Correct answer: B, C. B. Use AWS Lambda to write automatic approval rules. Store the approved AMI list in AWS Systems Manager Parameter Store. Use Amazon EventBridge to trigger an AWS Systems Manager Automation document on all EC2 instances every 30 days. — C. Use Amazon Inspector to run the CVE assessment on the EC2 instances launched from the AMIs that need to be scanned. — Amazon Inspector is the standard AWS service used to run vulnerability and CVE assessments on EC2 instances launched from AMIs. To automate the approval workflow and enforce the 30-day recurring scan, AWS Lambda can evaluate the Inspector findings and store the approved AMI list in Systems Manager Parameter Store, while Amazon EventBridge triggers the required 30-day Systems Manager Automation tasks. Other options like AWS CloudTrail or AWS Systems Manager agent alone do not provide native CVE assessment capabilities.

AWS Certified Solutions Architect – Professional — Question 325

Answer options

Correct answer: B, C

Explanation