ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company operates hundreds of Amazon EC2 instances and stores container images in several Amazon ECR repositories across multiple AWS accounts that belong to a single AWS Organizations organization. Security leadership needs an AWS-native capability to automatically discover software vulnerabilities on both the running EC2 instances and the container images, while allowing a single team to review all findings in one central account with minimal ongoing administration. Which approach best meets these requirements?
Designate a delegated administrator account in AWS Organizations and enable Amazon Inspector organization-wide to scan EC2 instances and Amazon ECR images, forwarding all findings to the central account.
Use AWS Systems Manager Patch Manager to run scheduled patch scans on all EC2 instances and publish the results to a cross-account CloudWatch dashboard for reporting.
Enable repository scanning in Amazon ECR, integrate the results with AWS Macie, and configure Macie as the central service in the management account for multi-account reporting.
Activate Amazon GuardDuty in every account and aggregate its findings to a central Security account to detect Common Vulnerabilities and Exposures (CVEs) on EC2 instances and ECR images.
Amazon Inspector can continuously scan EC2 instances by using the AWS Systems Manager agent to inventory installed software and compare it against known CVEs. The new Amazon Inspector also performs on-push and continuous vulnerability scans of container images stored in Amazon ECR. When Amazon Inspector is enabled for an AWS Organizations environment, one account can be designated as the delegated administrator; all member accounts automatically share their findings with that central account, providing consolidated visibility and reducing operational overhead. GuardDuty focuses on threat detection, not vulnerability discovery. Patch Manager only reports missing patches on managed instances and does not assess container images. Amazon Macie addresses data classification, not software vulnerabilities. Therefore, enabling Amazon Inspector organization-wide with a delegated administrator is the most appropriate solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are CVEs and why are they important for security monitoring?
Open an interactive chat with Bash
How does Amazon Inspector perform vulnerability scans on EC2 instances and ECR images?
Open an interactive chat with Bash
What is the purpose of a delegated administrator account in AWS Organizations?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Risk Identification, Monitoring and Analysis
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .