AWS Certified DevOps Engineer – Professional — Question 34

A company wants to ensure that their EC2 instances are secure. They want to be notified if any new vulnerabilities are discovered on their instances, and they also want an audit trail of all login activities on the instances.
Which solution will meet these requirements?

Answer options

• A. Use AWS Systems Manager to detect vulnerabilities on the EC2 instances. Install the Amazon Kinesis Agent to capture system logs and deliver them to Amazon S3.
• B. Use AWS Systems Manager to detect vulnerabilities on the EC2 instances. Install the Systems Manager Agent to capture system logs and view login activity in the CloudTrail console.
• C. Configure Amazon CloudWatch to detect vulnerabilities on the EC2 instances. Install the AWS Config daemon to capture system logs and view them in the AWS Config console.
• D. Configure Amazon Inspector to detect vulnerabilities on the EC2 instances. Install the Amazon CloudWatch Agent to capture system logs and record them via Amazon CloudWatch Logs.

Correct answer: D

Explanation

The correct answer is D because Amazon Inspector is specifically designed to assess and identify vulnerabilities in EC2 instances, while the Amazon CloudWatch Agent can capture system logs and send them to CloudWatch Logs for monitoring. Options A and B do not use Amazon Inspector for vulnerability detection, and option C uses CloudWatch for monitoring instead of the appropriate tools for vulnerability assessment.