Happy to Announce Our New Discussion Forum | Join Now

WhizQuiz Oct 22

You want to get a list of vulnerabilities for an EC2 Instance as per the guidelines set by the Center of Internet Security. How can you go about doing this?

  • Enable AWS Guard Duty for the Instance
  • Use AWS Trusted Advisor
  • Use AWS Inspector
  • Use AWS Macie

0 voters

AWS Inspector is correct.

As mentioned in AWS Docs here:

“Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.”

1 Like

Here are my thoughts on it:

Amazon Macie:
Amazon Macie helps you protect your data in Amazon S3 by helping you classify what data you have,
the value that data has to the business, and the behavior associated with access to that data. So it’s not the correct answer.

AWS Guard Duty:
AWS Guard Duty is an automated threat-detection service that can be quickly enabled, does not require agents to be installed, and monitors unusual account usage using sources like AWS CloudTrail logs, DNS logs, and other sources.
In the question, the requirement is to get the list of vulnerabilities for an EC2 Instance. So it’s not a valid option here.

Amazon Inspector:
Amazon Inspector is a low-impact, low-cost, agent-based vulnerability scanner.
Use it, for example, to automate vulnerability assessments and make them part of your deployment process.

AWS customers can also run Amazon Inspector assessments to improve the security and compliance of applications deployed on EC2 instances.
Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices and includes a knowledge base of hundreds of rules mapped to common security compliance standards (e.g., PCI DSS) and vulnerability definitions.

Amazon inspector specially designed for EC2 instances and it works within the EC2 instances. it checks EC2 configuration, Operating system Patches and vulnerabilities. So, it’s a correct answer.

https://aws.amazon.com/answers/security/aws-securing-ec2-instances/

https://aws.amazon.com/about-aws/whats-new/2018/08/amazon-inspector-adds-cis-benchmark-support-for-additional-linux-operating-systems/

Trust advisor:
Trust Advisor works at AWS account level and it provides the best practices. So, this is not suitable here.

Cheers…!

2 Likes

Great Explanation. Thank you for sharing knowledge with us!