Which combination of actions should the DevOps engineer take to resolve this issue?
(Choose three.)
Verify that AWS Systems Manager Agent is installed and is running on the EC2 instances that Amazon Inspector is not scanning.
Associate the target EC2 instances with security groups that allow outbound communication on port 443 to the AWS Systems Manager service endpoint.
Grant inspector:StartAssessmentRun permissions to the IAM role that the DevOps engineer is using.
Configure EC2 Instance Connect for the EC2 instances that Amazon Inspector is not scanning.
Associate the target EC2 instances with instance profiles that grant permissions to communicate with AWS Systems Manager.
Create a managed-instance activation. Use the Activation Code and the Activation ID to register the EC2 instances.
Explanations:
Amazon Inspector relies on AWS Systems Manager to manage EC2 instances. For Inspector to scan instances, the Systems Manager Agent (SSM Agent) must be installed and running.
EC2 instances need outbound connectivity on port 443 to communicate with AWS Systems Manager. This allows them to send status updates and receive commands for scanning.
Theinspector:StartAssessmentRunpermission is not necessary for Amazon Inspector to initiate vulnerability scans. Inspector automatically handles scanning with Systems Manager.
EC2 Instance Connect is used for SSH access to instances, which is unrelated to Amazon Inspector’s scanning requirements.
EC2 instances require an IAM instance profile with Systems Manager permissions to communicate with SSM. This enables Amazon Inspector to manage the instances.
Managed-instance activation is needed only for on-premises instances or instances outside AWS. EC2 instances in AWS accounts do not require this.