AWS Certified SysOps Administrator – Associate (legacy) — Question 45

A workload has been moved from a data center to AWS. Previously, vulnerability scans were performed nightly by an external testing company. There is a mandate to continue the vulnerability scans in the AWS environment with third-party testing occurring at least once each month.
What solution allows the vulnerability scans to continue without violating the AWS Acceptable Use Policy?

Answer options

• A. The existing nightly scan can continue with a few changes. The external testing company must be notified of the new IP address of the workload and the security group of the workload must be modified to allow scans from the external company's IP range.
• B. If the external company is a vendor in the AWS Marketplace, notify them of the new IP address of the workload.
• C. Submit a penetration testing request every 90 days and have the external company test externally when the request is approved.
• D. AWS performs vulnerability testing behind the scenes daily and patches instances as needed. If a vulnerability cannot be automatically addressed, a notification email is distributed.

Correct answer: A

Explanation

Option A is correct because it allows the external testing company to continue their scans by updating them with the new IP address and modifying the security group appropriately, which complies with AWS policies. Option B is incorrect because being listed in the AWS Marketplace does not inherently permit vulnerability scans without proper configuration. Option C is not suitable as it suggests a limited and infrequent testing schedule that does not meet the mandate of monthly tests. Option D is misleading since it suggests AWS handles all vulnerabilities automatically, but external testing is still required to meet the mandate.