exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 126 discussion

A company uses Amazon Elastic Container Service (Amazon ECS) containers that have the Fargate launch type. The containers run web and mobile applications that are written in Java and Node.js. To meet network segmentation requirements, each of the company’s business units deploys applications in its own dedicated AWS account. Each business unit stores container images in an Amazon Elastic Container Registry (Amazon ECR) private registry in its own account.

A security engineer must recommend a solution to scan ECS containers and ECR registries for vulnerabilities in operating systems and programming language libraries. The company’s audit team must be able to identify potential vulnerabilities that exist in any of the accounts where applications are deployed.

Which solution will meet these requirements?

  • A. In each account, update the ECR registry to use Amazon Inspector instead of the default scanning service. Configure Amazon Inspector to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.
  • B. In each account, configure AWS Config to monitor the configuration of the ECS containers and the ECR registry. Configure AWS Config conformance packs for vulnerability scanning. Create an AWS Config aggregator in a central account to collect configuration and compliance details from all accounts. Provide the audit team with access to AWS Config in the account where the aggregator is configured.
  • C. In each account, configure AWS Audit Manager to scan the ECS containers and the ECR registry. Configure Audit Manager to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.
  • D. In each account, configure Amazon GuardDuty to scan the ECS containers and the ECR registry. Configure GuardDuty to forward vulnerability findings to AWS Security Hub in a central security account. Provide access for the audit team to use Security Hub to review the findings.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
navid1365
4 months, 1 week ago
Selected Answer: A
A is correct. Out of all the options only Amazon Inspector can perform CVE scanning.
upvoted 2 times
...
aescudero51
5 months, 4 weeks ago
Selected Answer: A
My answer is A https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
upvoted 2 times
...
5409b91
6 months, 2 weeks ago
Selected Answer: A
Amazon Inspector: Amazon Inspector is a tool specifically designed to scan containers and registries for vulnerabilities in operating systems and programming language libraries. Integration with AWS Security Hub: Configuring Amazon Inspector to send vulnerability findings to AWS Security Hub in a central security account allows for centralized visibility and facilitates access for the audit team to review the findings. Account configuration: Updating each ECR registry in each account to use Amazon Inspector ensures that all registries and containers are properly scanned in each business account.
upvoted 2 times
...
Certified101
6 months, 2 weeks ago
Selected Answer: A
A NOT Guarduty you need inspector
upvoted 2 times
...
Nash101
6 months, 2 weeks ago
A Amazon Inspector is specifically designed for scanning container images in ECR for vulnerabilities in operating systems and libraries. It effectively addresses the need to scan both containers and container images.
upvoted 1 times
...
anandkl80
6 months, 3 weeks ago
A • Amazon Inspector: It is a security assessment service that helps improve the security and compliance of applications by scanning them for vulnerabilities or deviations from best practices, including scans of the operating system and application libraries within container images stored in ECR. • Integration with Security Hub: Inspector can integrate with AWS Security Hub, which provides a comprehensive view of security alerts and security posture across AWS accounts. By forwarding findings to Security Hub in a central account, the company ensures that the audit team can access and review these findings across all business units from a single pane.
upvoted 1 times
...
Zek
6 months, 3 weeks ago
A Amazon Inspector automatically discovers and scans running Amazon EC2 instances, container images in Amazon Elastic Container Registry (Amazon ECR), and AWS Lambda functions for known software vulnerabilities and unintended network exposure. https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html
upvoted 1 times
...
danish1234
6 months, 4 weeks ago
Selected Answer: D
D is the answer
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...