ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 672 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 672
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company's security compliance requirements state that all Amazon EC2 images must be scanned for vulnerabilities and must pass a CVE assessment. A solutions architect is developing a mechanism to create security- approved AMIs that can be used by developers. Any new AMIs should go through an automated assessment process and be marked as approved before developers can use them. The approved images must be scanned every 30 days to ensure compliance.
Which combination of steps should the solutions architect take to meet these requirements while following best practices? (Choose two.)

  • A. Use the AWS Systems Manager EC2 agent to run the CVE assessment on the EC2 instances launched from the AMIs that need to be scanned.
  • B. Use AWS Lambda to write automatic approval rules. Store the approved AMI list in AWS Systems Manager Parameter Store. Use Amazon EventBridge to trigger an AWS Systems Manager Automation document on all EC2 instances every 30 days.
  • C. Use Amazon Inspector to run the CVE assessment on the EC2 instances launched from the AMIs that need to be scanned.
  • D. Use AWS Lambda to write automatic approval rules. Store the approved AMI list in AWS Systems Manager Parameter Store. Use a managed AWS Config rule for continuous scanning on all EC2 instances, and use AWS Systems Manager Automation documents for remediation.
  • E. Use AWS CloudTrail to run the CVE assessment on the EC2 instances launched from the AMIs that need to be scanned.
Show Suggested Answer Hide Answer
Suggested Answer: BC 🗳️
by liono at Nov. 7, 2020, 11:41 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ebi
Highly Voted 3 years, 7 months ago
BC, For CVE we don't need continuoues scanning, so D is ruled out.
upvoted 16 times
...
bbnbnuyh
Highly Voted 3 years, 8 months ago
https://aws.amazon.com/blogs/security/how-to-set-up-continuous-golden-ami-vulnerability-assessments-with-amazon-inspector/
upvoted 10 times
elf78
3 years, 7 months ago
+1. Answers are B&C
upvoted 2 times
...
...
AwsBRFan
Most Recent 2 years, 8 months ago
Selected Answer: BC
https://aws.amazon.com/blogs/mt/automate-vulnerability-management-and-remediation-in-aws-using-amazon-inspector-and-aws-systems-manager-part-1/
upvoted 1 times
...
cldy
3 years, 6 months ago
B. Use AWS Lambda to write automatic approval rules. Store the approved AMI list in AWS Systems Manager Parameter Store. Use Amazon EventBridge to trigger an AWS Systems Manager Automation document on all EC2 instances every 30 days. C. Use Amazon Inspector to run the CVE assessment on the EC2 instances launched from the AMIs that need to be scanned.
upvoted 1 times
...
AzureDP900
3 years, 6 months ago
B,C Is my option
upvoted 1 times
...
AzureDP900
3 years, 6 months ago
B,C is right choice
upvoted 1 times
...
andylogan
3 years, 7 months ago
It's B C - Inspector and 30 days
upvoted 1 times
...
tgv
3 years, 7 months ago
BBB CCC ---
upvoted 1 times
...
Suresh108
3 years, 7 months ago
easy to remember trick - B - question has 30 days, this is the only answer has 30 days in it. C - CVE needs to be inspected, use 'Amazon Inspector' only C has these words.
upvoted 6 times
...
Sean2021
3 years, 7 months ago
C&D You cannot use SSM document to scan
upvoted 1 times
...
Waiweng
3 years, 7 months ago
it's B and C
upvoted 3 times
...
Amitv2706
3 years, 7 months ago
B and C for sure
upvoted 3 times
...
Kian1
3 years, 7 months ago
going with BC
upvoted 4 times
...
kopper2019
3 years, 7 months ago
B and C, for sure Amazon inspectos is needed
upvoted 1 times
...
rkbala
3 years, 8 months ago
A and B https://aws.amazon.com/about-aws/whats-new/2020/10/now-use-aws-systems-manager-to-view-vulnerability-identifiers-for-missing-patches-on-your-linux-instances/
upvoted 2 times
...
Superomam
3 years, 8 months ago
B, C. Remediation activity is not asked into the question.
upvoted 1 times
...
Bulti
3 years, 8 months ago
C is correct, Now between B and D, both might work but since we are asked to scan the EC2 instances every 30 days I will go with B. So the final answer is B and C.
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel