Company policy requires that all EC2 servers are not exposed to common vulnerabilities and exposures (CVEs). The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled CloudWatch event to trigger a review of the current infrastructure.
What process will check compliance of the company’s EC2 instances?

Answer options:

A.Trigger an AWS Config Rules evaluation of the restricted-common-ports rule against every EC2 instance.
B.Query the Trusted Advisor API for all best practice security checks and check for “action recommened” status.
C.Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance.
D.Run an Amazon Inspector assessment using the common vulnerabilities and exposures rules package against every EC2 instance.

Answer – D
Option A is incorrect because Config rules cannot be set as target directly by using the scheduled cloudWatch event rule. Managed config rule(restricted-common-ports) has to be specifically configured for all the required ports.
Option B is incorrect because querying Trusted Advisor APIs are not possible.
Option C is incorrect because GuardDuty should be used to detect threats and not check the compliance of security protocols.
Option D is CORRECT because Amazon Inspector can use the common vulnerabilities and exposures rules to verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs).
For more information, please refer to the below URL
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cves.html