Exam AWS Certified Cloud Practitioner CLF-C02 topic 1 question 2 discussion

Amazon Inspector for Audit CloudWatch for monitoring Config for compliance

Inspector is all about security assessments of AWS based applications and their configurations against known vulnerabilities. GuardDuty is all about continuously and automatically process different foundational data sources such as CloudTrail event logs, VPC flow logs and DNS logs to find potential security threat over an entire AWS account not just only with applications and it also uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within AWS environment. So as far as assessment is concerned Inspector is the right answer.

The correct answer is: ✅ B. Amazon Inspector Explanation: Amazon Inspector is the AWS service designed to: Assess vulnerabilities in applications running on Amazon EC2 instances Automatically scan for software vulnerabilities and deviations from security best practices Integrate with AWS services like EC2, ECR, and Lambda to provide continuous scanning It is the most appropriate choice for identifying application-level security issues and misconfigurations on EC2. Why not the others? A. AWS Trusted Advisor: Checks for general best practices across AWS (cost, performance, limits, etc.), but not deep vulnerability scans. C. AWS Config: Tracks resource configuration compliance, not security vulnerabilities. D. Amazon GuardDuty: Detects threats and malicious activity, but doesn’t assess software/application vulnerabilities.

i guess it by naming

Amazon inspector Assess application vulnerabilities and Identify infrastructure misconfigurations and deviations

B is the answer

Amazon Inspector is a vulnerability management service designed to: • Automatically assess applications running on Amazon EC2 instances (and other compute environments like ECS with Fargate). • Scan for known vulnerabilities (CVEs) in software packages. • Evaluate the application and OS configurations against security best practices. • Continuously monitor the environment and trigger automated assessments upon deployments or changes. 🔍 It directly addresses both parts of the requirement: “assess application vulnerabilities” and “identify infrastructure that doesn’t meet best practices”.

A is correct

It is a correct answer

For people saying it is A) Trusted Advisor, the documentation for it Never mentions vulnerabilties. In the context of vulnerabiltirs the question is asking about security best practices therefore it is Inspector as that is a security focused product.

Amazon Insepector is an automated security assessment service that scans EC2 instances for vulnerabilities and assesses applications for exposure, vulnerabilities, and deviations from best practices.

Inspector - audit Cloud watch - monitoring Config - compliance

Performs vunerabilities scanning on : EC2, lamda Identifies CVEs

Inspector for security assessments of applications

AWS Trusted Advisor provide the recommandations, AWS config for config and AWS GuardDuty for detections threats.

From the AWS skill builder website: AWS Inspector: It checks applications for security vulnerabilities and deviations from security best practices, such as open access to Amazon EC2 instances and installations of vulnerable software versions.

While both AWS Trusted Advisor and Inspector are tools to help optimize your AWS environment, the key difference is that Trusted Advisor provides high-level recommendations based on best practices across your entire AWS account, while Inspector focuses on actively scanning your EC2 instances and other workloads for specific security vulnerabilities using an agent-based approach