Exam AWS Certified Security - Specialty topic 1 question 249 discussion

C is answer

C. with Systems Manager Run command can do simple Linux or Windows commands to see software versions running, then grep or findstr for matches.

My advice to myself and you: read it twice, think twice. Quickly. Inspector Network Reachability, as the name implies, check for network configuration to identifies security vulnerabilities. It does NOT use any agent on EC2 instances. "An Amazon Inspector Classic agent is not required to assess your EC2 instances with this rules package." Therefore, it CANNOT identify anything installed on EC2 instance. On the other hand SSM does not do "scans" in the term we might think of in this context, but it does provide INVENTORY of METADATA of apps installed and network config on EC2 instances, if configured. Does C as it is worded helps you consider it? No. But in the exam don't expect any help. Is C the best option? Yes. Through elimination and deep thinking, it is the best option.

C, normally it would be Inspector. However, Amazon Inspector Network Reachability rules package is BS for the case.

C. Scan all the EC2 instances with AWS Systems Manager to identify the vulnerable version of the web framework. Option C is the best approach as it allows the security operations team to scan all EC2 instances using AWS Systems Manager. They can leverage Systems Manager's inventory and configuration management capabilities to check the version of the web framework installed on each instance. This enables them to quickly identify instances running the vulnerable version and take necessary actions to remediate the issue. Options A, B, and D do not specifically focus on identifying the specific web framework version and may not provide the desired level of accuracy and efficiency in this scenario.

The question states that the security engineer needs to find a specific vulnerable version of a common web framework. Amazon Inspector is not the answer here because it generated findings to tell us which ports are reachable from the internet. You can use Systems Manager Inventory to collect metadata from your managed instances. This metadata includes information about applications installed on your endpoints.

Answer is C since AWS SSM supports scanning EC2 instances for installed software by using the Inventory feature.

Option B, scanning all the EC2 instances with the Amazon Inspector Network Reachability rules package to identify instances running a web server with RecognizedPortWithListener findings, would not be an effective method for identifying instances running a vulnerable version of a web framework.

inspector scans for vulnerabilities. Network scan will show the ports on which vulnerable process is listening...

AWS Systems Manager Inventory provides visibility into your AWS computing environment. You can use Inventory to collect metadata from your managed nodes. You can store this metadata in a central Amazon Simple Storage Service (Amazon S3) bucket, and then use built-in tools to query the data and quickly determine which nodes are running the software and configurations required by your software policy, and which nodes need to be updated. You can configure Inventory

C: “instance was running a vulnerable version of a popular web framework”. To identify Version of the Framework / Application use SSM Agent. https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html “ The following table describes the types of data you can collect with Systems Manager Inventory. … You can configure Inventory to collect the following types of data: Applications: Application names, publishers, versions, etc. “ Why NOT A: AWS Config is for the Compliance of the AWS Resources. Why NOT B: AWS Inspector can recognize only RecognizedPortWithListener, not if the listener version is vulnerable. A recognized port is externally reachable from the public internet through a specific networking component, and a process is listening on the port.

The vulnerability in the web framework (application) here has been already identified using GuardDuty. "Using AWS System Manager, you can discover applications, view operations data (e.g. deployment status, Amazon CloudWatch Alarms, resource configurations, and operational issues), and perform remedial actions in the context of an application. You can request operational changes using predefined approval workflows and audit each change after it has been completed. You can then view detailed system configurations, operating system patch levels, software installations, application configurations, and other details about your environment through the System Manager Explorer and Inventory Dashboards." Ebook: “Threat Hunting in the Cloud”: Defending AWS, Azure, and other Cloud Platform Against Cyberattacks; by Chris Peiris, Binil Pillai, Abbas Kudrati. It is clear that the easy path to the Question requirement is option C.

https://aws.amazon.com/about-aws/whats-new/2020/10/now-use-aws-systems-manager-to-view-vulnerability-identifiers-for-missing-patches-on-your-linux-instances/ Answer is C

The correct answer is B or C?

C should be CORRECT - collect data about applications, files, Windows services, registries, updates, and any other system properties -> application assets, applications not installed by a traditional installer, and more B should be WRONG First run Inspector and review report that it generates. If you have never done that check: https://aws.amazon.com/blogs/security/amazon-inspector-assess-network-exposure-ec2-instances-aws-network-reachability-assessments/ https://cloudog.pl/wp-content/uploads/2019/02/0-NBPhwjEc-finding-report.pdf

B: is the answer 100% because Amazon Inspector's primary purpose is conduct detailed CVE and the question asks for that in another way. SSM has that capability but limited to missing patches. We should go for the best answer: B

Its B..see Daniels explanation.