Company policy requires that all EC2 servers are not exposed to common vulnerabilities and exposures (CVEs)
The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled CloudWatch event to trigger a review of the current infrastructure. What process will check compliance of the company's EC2 instances?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - D.
Option A is incorrect because Config rules cannot be set as target directly by using the scheduled cloudWatch event rule.
Managed config rule(restricted-common-ports) has to be specifically configured for all the required ports.
Option B is incorrect because querying Trusted Advisor APIs are not possible.
Option C is incorrect because GuardDuty should be used to detect threats and not check the compliance of security protocols.
Option D is CORRECT because Amazon Inspector can use the common vulnerabilities and exposures rules to verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs).
For more information, please refer to the below URL.
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cves.htmlThe company requires that all EC2 instances are not exposed to common vulnerabilities and exposures (CVEs), and the security team would like to regularly check all servers to ensure compliance. A scheduled CloudWatch event can trigger this review of the current infrastructure.
To check compliance of the company's EC2 instances, we need to choose an appropriate process that will evaluate each instance for compliance with the required policy. Let's examine each of the four answer options in detail to determine which one is the most appropriate:
A. Trigger an AWS Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config Rules is a feature that allows you to define rules that evaluate resource configurations for compliance with desired policies. The restricted-common-ports rule checks whether the EC2 instance is using common, vulnerable ports.
This option is somewhat related to the company policy, but it is not sufficient to check whether all EC2 instances are free from CVEs. Instead, it checks only whether the instances are using common, vulnerable ports.
B. Query the Trusted Advisor API for all best practice security checks and check for "action recommended" status.
AWS Trusted Advisor is a service that helps you optimize your AWS resources for better security, performance, reliability, and cost-effectiveness. It provides best practices checks that evaluate your AWS infrastructure for security, performance, and cost optimization.
While it is possible to query the Trusted Advisor API to obtain security-related best practices checks, this option does not specifically address the company policy requiring that all EC2 instances are not exposed to CVEs. Moreover, the "action recommended" status in Trusted Advisor is more of an advisory and not necessarily an indicator of compliance with specific policies.
C. Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance.
AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS environment. GuardDuty uses machine learning and anomaly detection techniques to identify threats to your AWS resources.
This option is related to security and detecting malicious activity, but it does not specifically address the company policy requiring that all EC2 instances are not exposed to CVEs. Moreover, targeting the port configuration is only one aspect of checking for CVEs, and this option may not be comprehensive enough to ensure compliance with the required policy.
D. Run an Amazon Inspector assessment using the common vulnerabilities and exposures rules package against every EC2 instance.
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector assessments are based on the Common Vulnerabilities and Exposures (CVE) database, which provides a list of known software vulnerabilities.
This option is the most appropriate process to check compliance with the company policy requiring that all EC2 instances are not exposed to CVEs. Running an Amazon Inspector assessment using the CVE rules package against every EC2 instance will thoroughly check for CVEs and ensure compliance with the required policy.
In conclusion, the most appropriate process to check compliance with the company policy requiring that all EC2 instances are not exposed to CVEs is to run an Amazon Inspector assessment using the common vulnerabilities and exposures rules package against every EC2 instance (Option D).