A sample exam theme is knowing which AWS service is responsible for vulnerability scanning versus patching or threat detection. Many candidates confuse Amazon Inspector, Systems Manager Patch Manager, and Amazon GuardDuty.
Let’s walk through a sample scenario, break down why Inspector is the correct choice, and summarize with cheat sheets, exam tips, and highlights.
Scenario
A healthcare company is deploying an internal claims processing platform on Amazon EC2. To meet compliance requirements, they must
Continuously scan their EC2 instances for known software vulnerabilities.
Check container images stored in Amazon Elastic Container Registry (ECR) for potential exploits.
Categorize the severity of findings to guide remediation priorities.
Use a managed solution with minimal operational overhead.
Solution – Amazon Inspector
The company enables Amazon Inspector, which automatically
Scans EC2 instances for operating system and application-level vulnerabilities.
Integrates with Amazon ECR to assess container images before deployment.
Assigns severity scores (e.g., Critical, High, Medium, Low) based on industry CVE databases.
Scales automatically without custom infrastructure.
This ensures compliance and security posture with minimal manual effort.
Cheat Sheet: Amazon Inspector vs Other Services
Service | What It Does | Why Not Correct Here |
|---|---|---|
Amazon Inspector | Vulnerability scanning for EC2 & ECR, severity scoring | Correct for vulnerability management |
Systems Manager Patch Manager | Automates patch deployment | Doesn’t scan for vulnerabilities, only applies fixes |
Amazon GuardDuty | Threat detection (malicious activity, anomalies) | Doesn’t identify CVEs or software vulnerabilities |
AWS Security Hub | Aggregates findings from Inspector, GuardDuty, and Macie | Not a scanner itself — consumes results |
Cheat Sheet: Amazon Inspector Key Features
Feature | What It Provides | Exam Clue |
|---|---|---|
EC2 Scanning | Finds OS & software vulnerabilities | “Scan EC2 instances for vulnerabilities” → Inspector |
ECR Scanning | Identifies insecure container images | “Scan container images” → Inspector |
Severity Scoring | Ranks vulnerabilities (Critical/High/etc.) | Look for “categorize vulnerabilities” in exam question |
Automated & Managed | Minimal operational overhead | Exam hint: “no manual setup” → Inspector |
Exam Tips
Exam Tip | Key Point |
|---|---|
Inspector = Vulnerability Scans | Scans EC2 + ECR for CVEs |
GuardDuty ≠ Vulnerabilities | Only detects malicious activity |
Patch Manager ≠ Scanner | Only applies patches |
Security Hub = Aggregation | Consumes Inspector findings |
Exam Highlights
Amazon Inspector = vulnerability management.
GuardDuty = threat detection.
Patch Manager = patch automation.
Security Hub = finding aggregation.
Ready to take your AWS Solutions Architect – Associate prep to the next level?
Join our Study Notes and Study Group to connect with fellow learners, access structured exam-aligned resources (study notes, flashcards, scenario-based questions, personalized study plans with email reminders, and the ability to add notes to any lesson), and participate in weekly, exam-aligned sessions using a live AWS environment to explore architecture decisions through a real-world e-commerce application.
Start your journey here: https://labs.itassist.com/aws-certified-solution-architect-associate-study-notes
📺 New to the platform? Watch the YouTube playlist to see all the features in action: https://www.youtube.com/playlist?list=PLqwTb4xwPh0e7w3iNS6I7UzAds7wNlAo7