Q6 — AWS DOP-C02 Ch.1

Question 6 of 100 | ← Chapter 1

A company wants to ensure their EC2 instances are secure. They want to be notified when new vulnerabilities are discovered on their instances and want to maintain audit trails of all login activity on the instances.

Correct Answer: D. Configure Amazon Inspector to detect vulnerabilities on EC2 instances. Install the Amazon CloudWatch Agent to capture system logs and log them via Amazon CloudWatch Logs.

Explanation

Amazon Inspector is a purpose-built, automated security assessment service that identifies vulnerabilities and deviations from best practices on EC2 instances—including OS and application-layer issues—fulfilling the vulnerability detection requirement. For audit logging of login activity, the Amazon CloudWatch Agent collects OS-level logs (e.g., /var/log/auth.log, secure) and forwards them to CloudWatch Logs, enabling searchable, durable, and compliant audit trails. CloudWatch Logs supports metric filters and alarms for anomalous login patterns. Systems Manager does not perform vulnerability scanning; CloudWatch cannot natively scan for vulnerabilities; AWS Config assesses configuration compliance—not runtime vulnerabilities or login auditing. Therefore, Option D is the only solution satisfying both requirements accurately and natively.