AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct solution is to enable AWS Security Hub, Amazon Inspector, and AWS IAM Access Analyzer.

• AWS Security Hub provides a comprehensive and centralized view of your security posture across your AWS accounts. It aggregates, organizes, and prioritizes security findings from various AWS services like Amazon GuardDuty, AWS Config, Amazon Inspector, and AWS IAM Access Analyzer. Designating a delegated administrator in AWS Organizations allows for central management.
• Amazon Inspector is the specific service designed for automated and continuous vulnerability management. It scans EC2 instances and container images in ECR for software vulnerabilities and unintended network exposure, directly meeting the first critical requirement.
• AWS IAM Access Analyzer continuously monitors resource-based policies to identify resources shared with an external entity outside of your defined zone of trust (such as your AWS Organization). This directly addresses the second critical requirement to prevent unintended external access.

Incorrect options:

• Using AWS Trusted Advisor instead of IAM Access Analyzer is incorrect because while Trusted Advisor provides security best practice checks, IAM Access Analyzer is the specialized tool that uses formal reasoning to continuously analyze policies for unintended external access.
• Using AWS CloudTrail and Amazon Detective does not meet the requirements. CloudTrail is an audit log of API activity, and Detective is an investigation tool to analyze the root cause of findings. Neither service performs proactive vulnerability scanning or external access analysis.
• Using AWS Systems Manager Patch Manager instead of Amazon Inspector is incorrect. Patch Manager is a remediation tool used to apply patches to instances, whereas Inspector is the service that performs the vulnerability scanning to identify which patches are needed.