Q6 — AWS DOP-C02 Ch.1
Question 6 of 100 | ← Chapter 1
A company wants to ensure their EC2 instances are secure. They want to be notified when new vulnerabilities are discovered on their instances and want to maintain audit trails of all login activity on the instances.
- A. Use AWS Systems Manager to detect vulnerabilities on EC2 instances. Install the Amazon Kinesis Agent to capture system logs and deliver them to Amazon S3.
- B. Use AWS Systems Manager to detect vulnerabilities on EC2 instances. Install the Systems Manager Agent to capture system logs and view login activity in the CloudTrail console.
- C. Configure Amazon CloudWatch to detect vulnerabilities on EC2 instances. Install the AWS Config agent to capture system logs and view them in the AWS Config console.
- D. Configure Amazon Inspector to detect vulnerabilities on EC2 instances. Install the Amazon CloudWatch Agent to capture system logs and log them via Amazon CloudWatch Logs. ✓
Correct Answer: D. Configure Amazon Inspector to detect vulnerabilities on EC2 instances. Install the Amazon CloudWatch Agent to capture system logs and log them via Amazon CloudWatch Logs.
Explanation
Amazon Inspector is a purpose-built, automated security assessment service that identifies vulnerabilities and deviations from best practices on EC2 instances—including OS and application-layer issues—fulfilling the vulnerability detection requirement. For audit logging of login activity, the Amazon CloudWatch Agent collects OS-level logs (e.g., /var/log/auth.log, secure) and forwards them to CloudWatch Logs, enabling searchable, durable, and compliant audit trails. CloudWatch Logs supports metric filters and alarms for anomalous login patterns. Systems Manager does not perform vulnerability scanning; CloudWatch cannot natively scan for vulnerabilities; AWS Config assesses configuration compliance—not runtime vulnerabilities or login auditing. Therefore, Option D is the only solution satisfying both requirements accurately and natively.