Continuous Security Assessment and Vulnerability Fixes for EC2 Instances
Question
In order to improve the security of applications deployed on your company's AWS platform, you are configuring AWS Inspector to continually assess EC2 instances (both Linux and Windows) to see if there are security related vulnerabilities and then get the potential issues fixed in time.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answer - B, E.
Amazon Inspector is an AWS tool to perform security assessments of Amazon EC2 instances using AWS managed rules packages.
Refer to https://aws.amazon.com/inspector/ for its details.
In order for AWS Inspector to work properly, the AWS Inspector agents need to be installed first.
The “Install Agents” option can also be selected so that the agents are installed automatically as below:
Option A is incorrect: Because there is no security group requirement to generate the Inspector assessment report.
Option B is CORRECT: Because SSM Agent is used to install the Inspector Agent so that this option is a must.
Option C is incorrect: Because AWS CLI is not a necessary option.
Option D is incorrect: Although this option provides the Amazon Inspector access for EC2, it does not help Inspector agent installation in the EC2 instance itself.
Option E is CORRECT: Because SSM Agent needs to execute "Run Command" to install the Amazon Inspector agent.
So the instance role needs the permission to allow SSM Run Command.
In order to improve the security of applications deployed on your company's AWS platform, you are configuring AWS Inspector to continually assess EC2 instances (both Linux and Windows) to see if there are security related vulnerabilities and then get the potential issues fixed in time.
To configure AWS Inspector to continually assess EC2 instances, the following steps need to be taken:
A. The security group in the EC2 instances should allow SSH port 22. This step is not required for configuring AWS Inspector. However, if you need to access the EC2 instances via SSH, you will need to ensure that the security group in the EC2 instances allows SSH port 22.
B. All EC2 instances need to have the AWS Systems Manager (SSM) Agent installed. This is an important step for configuring AWS Inspector. AWS Inspector uses SSM Agent to collect data from the EC2 instances. Without SSM Agent, AWS Inspector cannot assess the EC2 instances for security vulnerabilities.
C. All EC2 instances should have AWS CLI commands preinstalled. This step is not required for configuring AWS Inspector. However, if you need to execute AWS CLI commands on the EC2 instances, you will need to ensure that AWS CLI is installed on the EC2 instances.
D. The EC2 instances need to configure an IAM role to have the AWS Inspector full access. This is an important step for configuring AWS Inspector. The EC2 instances need to be configured with an IAM role that has the necessary permissions to allow AWS Inspector to access the EC2 instances and collect data from them.
E. The EC2 instances should have a role to allow SSM Run Command. This step is not required for configuring AWS Inspector. However, if you need to execute SSM Run Command on the EC2 instances, you will need to ensure that the EC2 instances have a role that allows SSM Run Command.
In summary, to configure AWS Inspector to continually assess EC2 instances for security vulnerabilities, you need to ensure that all EC2 instances have the AWS Systems Manager (SSM) Agent installed, configure an IAM role to have the AWS Inspector full access, and optionally ensure that the EC2 instances have a role that allows SSM Run Command.