You were assigned a task to create a security monitoring dashboard in AWS. The dashboard should be able to identify whether EC2 instances are exposed to common vulnerabilities and exposures (CVEs). For example, if an EC2 instance does not install certain patch and is exposed to a known CVE, this incident should be discovered. Which approach is the best one to implement this?

Answer options:

A.Enable AWS GuardDuty and include CVE rule package in the GuardDuty template. Monitor CVE findings in the console.
B.In AWS Systems Manager, include CVE patches in patch baselines. Use patch manager to apply system patches to all EC2 instances.
C.Enable AWS Inspector and make sure all EC2 instances have the Inspector agents installed properly. Include CVE rule package in the assessment template.
D.Configure AWS Macie and include CVE rule package in the assessment template.

Correct Answer – C
Common vulnerabilities and exposures (CVEs) belong to one of the rule packages that AWS Inspector can configure. Refer to https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cves.html.
Option A is incorrect: Because there is no CVE rule package in GuardDuty template. Users cannot configure CVE rule package in GuardDuty.
Option B is incorrect: This approach can be regarded as a prevention. However, this question asks for a monitoring dashboard.
Option C is CORRECT: Because after configuring the Common Vulnerabilities And Exposures (CVE) rule package in the assessment template, AWS Inspector can identify whether EC2 instances are exposed to CVEs:
Option D is incorrect: Macie is not applicable in this case and is not used to discover CVE issues in EC2 instances.