Which solution will meet these requirements?
Use SCPs to configure scanning of EC2 instances and ECR containers for all accounts in the organization.
Configure a delegated administrator for Amazon GuardDuty for the organization. Create an Amazon EventBridge rule to initiate analysis of ECR containers.
Configure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.
Configure a delegated administrator for Amazon Inspector for the organization. Create an AWS Config rule to initiate analysis of ECR containers.
Explanations:
SCPs (Service Control Policies) cannot be used to configure scanning of EC2 instances and ECR containers. SCPs are used to manage permissions, not to trigger or configure scanning operations.
Amazon GuardDuty is used for threat detection, but it is not specifically designed for scanning EC2 instances and ECR containers for vulnerabilities. Additionally, EventBridge rules can automate actions but are not appropriate for this use case.
Configuring a delegated administrator for Amazon Inspector allows centralized management of vulnerability scanning for EC2 instances and ECR containers across the organization. Automatic scanning for new member accounts is supported.
AWS Config rules are used for compliance monitoring and not directly for initiating vulnerability scans on EC2 instances or ECR containers. Amazon Inspector is a more appropriate tool for scanning, and it can be managed with a delegated administrator.
I rank that the answer is:
Configure a delegated administrator for Amazon Inspector for the organization. Configure automatic scanning for new member accounts.