Verify EC2 Instances for Common Vulnerabilities and Exposures (CVEs)

Answer: A.

Option A is CORRECT because Amazon Inspector can utilize AWS agents installed on EC2 instance hosts to run rules packages, including common vulnerabilities and exposures.

The rule package can verify if EC2 instances are exposed to CVEs.

Option B is incorrect because GuardDuty analyses event log data to perform threat level analysis.

It does not perform host-level checks.

Option C is incorrect because Trusted Advisor security checks do not perform any EC2 instance host-level checks.

Option D is incorrect because there is no AWS-LinuxDisableSpecialServices run command document.

Reference:

https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cves.html

The service that the security team can use to ensure compliance with the requirement of verifying whether the EC2 instances in the AWS account are exposed to common vulnerabilities and exposures (CVEs) is Amazon Inspector.

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on Amazon Web Services (AWS). It enables users to assess their AWS resources for vulnerabilities and compliance with industry standards and best practices.

To check for common vulnerabilities and exposures (CVEs) in EC2 instances, the security team can use Amazon Inspector to run an assessment using the common vulnerabilities and exposures rule package. This package contains a set of rules that checks for known CVEs in the EC2 instances.

The Amazon Inspector assessment process involves the following steps:

1. Define an assessment target: The security team can define the EC2 instances that need to be assessed using Amazon Inspector.
2. Select a rule package: The security team can select the common vulnerabilities and exposures rule package to check for known CVEs in the EC2 instances.
3. Configure assessment settings: The security team can configure assessment settings such as frequency, duration, and assessment run name.
4. Start the assessment run: The security team can start the assessment run to check for vulnerabilities and exposures in the EC2 instances.
5. Review the assessment results: The security team can review the assessment results to identify the CVEs that were found in the EC2 instances and take necessary actions to remediate them.

Therefore, option A (Run Amazon Inspector assessment using the common vulnerabilities and exposures rule package) is the correct answer to the question.

Option B (Configure Amazon GuardDuty threat detection analysis to target EC2 instances) is incorrect as Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts for malicious activity and unauthorized behavior, and it is not specifically designed to check for CVEs in EC2 instances.

Option C (Configure Amazon Trusted Advisor Security report to target EC2 instances) is also incorrect as Amazon Trusted Advisor is a service that provides real-time guidance to help users optimize their AWS infrastructure for performance, security, and cost optimization, and it is not designed to check for CVEs in EC2 instances.

Option D (Execute Amazon Systems Manager Run Command AWS-LinuxDisableSpecialServices document) is incorrect as this command disables specific AWS services on the EC2 instance and does not address the requirement of checking for CVEs in EC2 instances.