Which combination of actions will meet these requirements?
(Choose three.)
Activate Amazon Inspector. Start automated CVE scans.
Activate Lambda standard scanning and Lambda code scanning in Amazon Inspector.
Enable Amazon GuardDuty. Enable the Lambda Protection feature in GuardDuty.
Enable scanning in the Monitor settings of the Lambda functions that need code scans.
Tag Lambda functions that do not need code scans. In the tag, include a key of InspectorCodeExclusion and a value of LambdaCodeScanning.
Use Amazon Inspector to scan the 3 bucket that contains the Lambda .zip packages and the Lambda layer .zip file for code scans.
Explanations:
Activating Amazon Inspector and starting automated CVE scans will help identify known vulnerabilities (CVEs) in the Lambda functions and layers. This is a required step for CVE scanning.
Enabling both standard and code scanning in Amazon Inspector for Lambda allows for the detection of CVEs and potential code issues in the selected Lambda functions.
Amazon GuardDuty’s Lambda Protection feature is focused on monitoring runtime threats, not on CVE or code scanning, making it unsuitable for this requirement.
There is no option within Lambda’s Monitor settings specifically to enable selective code scans for Inspector; code scans are configured directly in Inspector.
Tagging Lambda functions to exclude certain functions from code scanning by Amazon Inspector allows for the selective scanning required in this scenario.
Amazon Inspector does not scan S3 buckets for Lambda code; it directly scans Lambda functions, so this approach does not meet the requirements.
If I’m correct, the answer is:
Activate Amazon Inspector. Start automated CVE scans.