Which combination of steps is the MOST efficient way for the Engineer to meet these requirements?
(Choose two.)
Log on to each EC2 instance, check and export the different software versions installed, and verify this against a list of current CVEs.
Install the Amazon Inspector agent on all development instances. Build a custom rule package, and configure Inspector to perform a scan using this custom rule on all instances tagged as being in the development environment.
Install the Amazon Inspector agent on all development instances. Configure Inspector to perform a scan using this CVE rule package on all instances tagged as being in the development environment.
Install the Amazon EC2 System Manager agent on all development instances. Issue the Run command to EC2 System Manager to update all instances.
Use AWS Trusted Advisor to check that all EC2 instances have been patched to the most recent version of operating system and installed software.
Explanations:
Manually logging onto each EC2 instance to check software versions against CVEs is time-consuming and inefficient, especially given the large number of instances. This approach lacks automation and scalability.
While installing the Amazon Inspector agent is beneficial, building a custom rule package adds complexity and may not be necessary since Amazon Inspector already provides a standard CVE rule package. This option does not fully utilize the existing capabilities of Amazon Inspector.
Installing the Amazon Inspector agent and using the built-in CVE rule package to scan all instances tagged as development allows for automated detection of vulnerabilities efficiently. This approach leverages existing AWS services effectively.
Installing the EC2 Systems Manager agent and using the Run command to update all instances is an efficient way to ensure that development instances are patched against known vulnerabilities. This automates the patching process across multiple instances.
AWS Trusted Advisor does provide some insights into resource utilization and best practices, but it does not specifically check for patch status or CVE compliance. It is not designed to provide a comprehensive vulnerability assessment.