ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company runs several Amazon Linux 2 EC2 instances that store sensitive intellectual-property files. Compliance policy requires a host-based control that will
monitor critical system and application files for unauthorized changes on an ongoing basis,
generate security findings without opening additional inbound ports, and
minimize ongoing infrastructure management overhead. Which solution best meets these requirements?
Turn on Amazon GuardDuty with S3 protection so that file-related activity on the EC2 volumes is analyzed for threats.
Deploy AWS Network Firewall in the VPC and create stateful rules that detect and log file modification traffic from the instances.
Enable AWS Systems Manager's File Integrity Monitoring by ensuring the SSM Agent is running and applying the AWS managed FIM configuration to the instances.
Install the Amazon Inspector agent and schedule daily CIS benchmark assessments for the instances.
AWS Systems Manager provides a managed File Integrity Monitoring (FIM) capability that uses the existing SSM Agent on each EC2 instance to collect file metadata at regular intervals. The data is stored in Systems Manager Inventory and evaluated by AWS Config, which records and notifies on any additions, deletions, or modifications. The SSM Agent communicates outbound over HTTPS, so no extra inbound ports are needed, and because the capability is managed, administrators only need to enable the AWS-provided FIM configuration policy-satisfying the low-maintenance requirement.
Amazon GuardDuty analyzes VPC flow logs, DNS logs, EBS volume data, and CloudTrail events (with optional runtime monitoring agents), but its findings are focused on threat detections such as malware, not on file-integrity baselines for arbitrary system paths. AWS Network Firewall operates at the network layer and has no visibility into on-host file activity. Amazon Inspector offers continuous vulnerability scanning and CIS benchmark assessments but does not track file changes, so it does not meet the integrity-monitoring requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Systems Manager's File Integrity Monitoring (FIM)?
Open an interactive chat with Bash
How does the SSM Agent communicate securely without opening inbound ports?
Open an interactive chat with Bash
Why does Amazon GuardDuty not meet the file integrity monitoring requirement?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .