AIncorrect
Amazon Macie
Macie is a service that discovers and classifies sensitive data in Amazon S3.
It does not scan for software vulnerabilities, so this is incorrect.
Which service is MOST suitable to automatically scan EC2 instances and container images for known software vulnerabilities and assess the risk?
1 / 1
Select an answer
CorrectC
Explanation
A question to choose the vulnerability scanning and assessment service.
- 1「known software vulnerabilities」Known vulnerabilities such as CVEs are the target.
- 2「automatically scan」Continuous inspection = Inspector.
- 3「assess the risk」Assess the severity of detected vulnerabilities.
BIncorrect
AWS Security Hub
AWS Security Hub is a service that aggregates security findings from Inspector, GuardDuty, and others and shows compliance status in one place.
It is the side that collects and organizes findings and does not scan EC2 instances or container images for vulnerabilities itself, so this is incorrect.
CCorrect
Amazon Inspector
Correct. Amazon Inspector is a service that continuously scans EC2 instances, container images (ECR), and Lambda functions and automatically detects known vulnerabilities (CVEs) and unintended network exposure to assess risk. It automates vulnerability management.
DIncorrect
Amazon GuardDuty
Amazon GuardDuty is a service that analyzes CloudTrail, VPC flow logs, DNS logs, and more to detect suspicious activity (threats).
Its focus is runtime behavior and communication, and it does not scan for known software vulnerabilities themselves, so this is incorrect.
Key Takeaway
'Vulnerability scanning' and 'assessment of EC2/container images/Lambda' are Amazon Inspector. Sensitive data is Macie, threat detection is GuardDuty, and aggregating findings is Security Hub. Lock in the mapping of names to roles.