Which solution will meet this requirement with the LEAST operational overhead?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company is deploying a new application on AWS.The application consists of an Amazon Elastic Kubernetes Service (Amazon EKS) cluster and an Amazon Elastic Container Registry (Amazon ECR) repository.The EKS cluster has an AWS managed node group.The company’s security guidelines state that all resources on AWS must be continuously scanned for security vulnerabilities.

Which solution will meet this requirement with the LEAST operational overhead?

Activate AWS Security Hub. Configure Security Hub to scan the EKS nodes and the ECR repository.

Activate Amazon Inspector to scan the EKS nodes and the ECR repository.

Launch a new Amazon EC2 instance and install a vulnerability scanning tool from AWS Marketplace. Configure the EC2 instance to scan the EKS nodes. Configure Amazon ECR to perform a basic scan on push.

Install the Amazon CloudWatch agent on the EKS nodes. Configure the CloudWatch agent to scan continuously. Configure Amazon ECR to perform a basic scan on push.

Explanations:

AWS Security Hub is primarily a security posture management service that aggregates security alerts from various AWS services. While it can provide insights on security findings, it does not directly scan EKS nodes or ECR images for vulnerabilities. It requires integration with services that perform the scans, which adds complexity and operational overhead.

Amazon Inspector is a vulnerability management service that automatically assesses applications for vulnerabilities or deviations from best practices. It can scan both EKS nodes and ECR repositories, providing continuous monitoring with minimal operational overhead as it integrates seamlessly with these services.

Launching a new EC2 instance to run a vulnerability scanning tool adds significant operational overhead, including management of the EC2 instance and the scanning tool. Additionally, it does not provide continuous scanning by default and would require manual configuration and maintenance. While ECR can perform scans on push, this option does not address EKS node scanning effectively.

The CloudWatch agent is primarily used for collecting metrics and logs from EC2 instances. While it can provide monitoring capabilities, it is not designed to perform security vulnerability scanning. Continuous scanning of EKS nodes would not be feasible with the CloudWatch agent, making this option inadequate for the requirement. ECR’s basic scan on push is useful, but the EKS nodes would remain unmonitored for vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × one =