Table of Contents
Question
A company wants to implement host-based security for Amazon EC2 instances and containers in Amazon Elastic Container Registry (Amazon ECR). The company has deployed AWS Systems Manager Agent (SSM Agent) on the EC2 instances. All the company’s AWS accounts are in one organization in AWS Organizations. The company will analyze the workloads for software vulnerabilities and unintended network exposure. The company will push any findings to AWS Security Hub, which the company has configured for the organization.
The company must deploy the solution to all member accounts, including new accounts, automatically. When new workloads come online, the solution must scan the workloads. Which solution will meet these requirements?
A. Use SCPs to configure scanning of EC2 instances and ECR containers for all accounts in the organization.
B. Configure a delegated administrator for Amazon GuardDuty for the organization. Create an Amazon EventBridge rule to initiate analysis of ECR containers.
C. Configure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.
D. Configure a delegated administrator for Amazon Inspector for the organization. Create an AWS Config rule to initiate analysis of ECR containers.
Answer
C. Configure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.
Explanation
The correct answer is C. Configure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.
Amazon Inspector is a service that helps you continuously assess and improve the security of your AWS resources. It can scan EC2 instances and ECR containers for software vulnerabilities and unintended network exposure. Inspector can also push findings to AWS Security Hub, which can help you track and remediate security issues across your organization.
To meet the requirements of the question, you would need to configure a delegated administrator for Amazon Inspector for the organization. This would allow you to delegate the permissions to scan EC2 instances and ECR containers to other users in the organization. You would also need to configure automatic scanning for new member accounts. This would ensure that all new accounts in the organization are scanned for vulnerabilities as soon as they are created.
The other options are not as suitable for this scenario. Option A would require you to create SCPs, which can be difficult to manage and maintain. Option B would require you to use Amazon GuardDuty, which is not as well-suited for scanning ECR containers. Option D would require you to create an AWS Config rule, which is not as comprehensive as Amazon Inspector.
Here are the steps on how to configure Amazon Inspector to meet the requirements of the question:
- Create a delegated administrator for Amazon Inspector for the organization.
- Configure automatic scanning for new member accounts.
- Scan EC2 instances and ECR containers for vulnerabilities.
- Push findings to AWS Security Hub.
Once you have configured Amazon Inspector, it will automatically scan your EC2 instances and ECR containers for vulnerabilities. Any findings will be pushed to AWS Security Hub, where you can track and remediate them.
Reference
- What is Amazon Elastic Container Registry? – Amazon ECR
- How to Monitor Host-Based Intrusion Detection System Alerts on Amazon EC2 Instances | AWS Security Blog
- Container Orchestration & Management on AWS | Amazon Web Services
- Scanning Amazon ECR container images with Amazon Inspector – Amazon Inspector
- Image scanning – Amazon ECR
- Amazon Elastic Container Registry controls – AWS Security Hub
Amazon AWS Certified Security – Specialty certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty exam and earn Amazon AWS Certified Security – Specialty certification.