Inspecting Common Vulnerabilities and Exposures (CVEs) for EC2 Instances in ap-south-1 Region
Question
You are a DevOps engineer and manage an AWS account.
Recently, a third party audit company has found that several EC2 instances in the ap-south-1 region have security vulnerabilities and are exposed to threats from outside.
You need to set up a mechanism immediately in the AWS account to inspect the common vulnerabilities and exposures (CVEs) for all the EC2 instances in the ap-south-1 region.
The check should be performed every day and generate a detailed list of security findings.
Which method would you select?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer : D.
Option A is incorrect because Systems Manager Patch Manager can manage the patch baseline and automate the patching in EC2 instances.
However, it does not check if EC2 instances are exposed to CVEs.
Option B is incorrect because there is no common vulnerabilities and exposures (CVEs) automation document in Systems Manager Automation.
Option C is incorrect because the CVEs checks do not start automatically even if the Amazon Inspector agent is installed.
You would need to create an assessment in Amazon Inspector.
Option D is CORRECT because you can create an assessment in Amazon Inspector to include the Common Vulnerabilities and Exposures rule package as follows:
Reference:
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cves.html
The best method to inspect the common vulnerabilities and exposures (CVEs) for all the EC2 instances in the ap-south-1 region would be D. In Amazon Inspector, create an assessment with the Common Vulnerabilities and Exposures (CVEs) rule package and include all the EC2 instances in the AWS account and region. Run the assessment every 24 hours.
Option A is incorrect because AWS Systems Manager Patch Manager is used to automate the process of patching operating systems and applications on EC2 instances. While it can inspect the patching level, it does not check for security vulnerabilities.
Option B is incorrect because AWS Systems Manager Automation can be used to automate tasks and create workflows, but it does not specifically check for security vulnerabilities.
Option C is incorrect because while the Amazon Inspector agent can be installed on EC2 instances to check for common vulnerabilities and exposures (CVEs), it requires manual intervention to install and configure the agent on each instance, which can be time-consuming and error-prone.
Option D is the correct method because Amazon Inspector is a security assessment service that automatically assesses applications and infrastructure for security vulnerabilities and compliance. The Common Vulnerabilities and Exposures (CVEs) rule package specifically checks for known security vulnerabilities and exposures, which will help identify any security risks in the EC2 instances. By creating an assessment with this rule package and including all EC2 instances in the region, the assessment can be run every 24 hours to detect and report any security issues. Additionally, the assessment results are detailed and provide specific recommendations to remediate any issues found.
In summary, the best method to inspect the common vulnerabilities and exposures (CVEs) for all the EC2 instances in the ap-south-1 region would be to use Amazon Inspector to create an assessment with the Common Vulnerabilities and Exposures (CVEs) rule package and run the assessment every 24 hours.