Implementing the Best Approach for Security Monitoring Dashboards in AWS
Question
You were assigned a task to create a security monitoring dashboard in AWS.
The dashboard should be able to identify whether EC2 instances are exposed to common vulnerabilities and exposures (CVEs)
For example, if an EC2 instance does not install certain patch and is exposed to a known CVE, this incident should be discovered.
Which approach is the best one to implement this?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
Common vulnerabilities and exposures (CVEs) belong to one of the rule packages that AWS Inspector can configure.
Refer to https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cves.html.
Option A is incorrect: Because there is no CVE rule package in GuardDuty template.
Users cannot configure CVE rule package in GuardDuty.
Option B is incorrect: This approach can be regarded as a prevention.
However, this question asks for a monitoring dashboard.
Option C is CORRECT: Because after configuring the Common Vulnerabilities And Exposures (CVE) rule package in the assessment template, AWS Inspector can identify whether EC2 instances are exposed to CVEs:
Option D is incorrect: Macie is not applicable in this case and is not used to discover CVE issues in EC2 instances.
![Edit action
Action name
Choose a name for your action
No more than 100 characters
‘Action provider
AWS Lambda v|
Region
Asia Pacific (Sydney) v ]
Input artifacts
Choose an input artifact for this action, Learn more [2
Add
No more than 100 characters
Function name
Choose a function that you have already created in the AWS Lambda console. Or create a function in the Amazon Lambda console and then return to this task.
Q
This string will be used in the event data parameter passed to the handler in AWS Lambda.
Variable namespace - optional
Choose a namespace for the output variables from this action. You must choose @ namespace if you want to use the variables ths action produces in your configuration. Learn more (2
Output artifacts
Choose a name for the output ofthis action
‘Add
No more than 100 characters](https://eaeastus2.blob.core.windows.net/optimizedimages/static/images/AWS-Certified-DevOps-Engineer-Professional/answer/imgckeditor_4.png)
The best approach to implement a security monitoring dashboard that identifies whether EC2 instances are exposed to common vulnerabilities and exposures (CVEs) is option A: Enable AWS GuardDuty and include CVE rule package in the GuardDuty template. Monitor CVE findings in the console.
AWS GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS resources and accounts. It uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential security issues.
The CVE rule package in the GuardDuty template enables GuardDuty to detect and alert on EC2 instances that are exposed to known CVEs. GuardDuty will analyze network traffic, DNS logs, and other data sources to identify instances that are vulnerable to known CVEs.
By monitoring CVE findings in the console, DevOps engineers can quickly identify and remediate instances that are exposed to known vulnerabilities. This approach helps to ensure that instances are properly patched and secure against known threats.
Option B, using AWS Systems Manager to apply system patches to all EC2 instances, is a good practice for maintaining the security of EC2 instances. However, it does not specifically address the requirement to monitor for CVEs.
Option C, enabling AWS Inspector and including the CVE rule package in the assessment template, is another option for monitoring EC2 instances for CVEs. However, AWS Inspector is primarily focused on identifying security issues at the application level rather than the infrastructure level, and it may not be the best choice for this specific use case.
Option D, configuring AWS Macie and including the CVE rule package in the assessment template, is not relevant to this use case as AWS Macie is focused on identifying and protecting sensitive data in AWS.