The correct answer is: Enable Amazon Inspector and install its agent on EC2 instances. Use a Lambda function to generate and distribute reports of any discovered vulnerabilities.

Amazon Inspector is a dedicated AWS security service designed to automatically scan Amazon EC2 instances and container workloads for software vulnerabilities and unintended network exposure. Once activated and the required agent is installed, Inspector continuously assesses the environment against a growing list of Common Vulnerabilities and Exposures (CVEs). Reports can be generated programmatically, making it easy to integrate findings into automated workflows using AWS Lambda or other services.

The option Enable Amazon GuardDuty and install its monitoring agents on EC2 instances is incorrect because GuardDuty is focused on detecting threat activity through log analysis and anomaly detection. It does not perform in-depth vulnerability scanning on applications or operating system components running on EC2 instances.

The option Use AWS Shield to perform vulnerability scans on EC2 instances is incorrect. AWS Shield is a DDoS protection service and is not designed for host-level vulnerability scanning. It safeguards network infrastructure but offers no scanning or reporting of internal software issues.

The option Deploy Amazon Macie with supporting Lambda functions to scan EC2 instances for vulnerabilities is also incorrect. Amazon Macie is a data classification tool designed to identify sensitive data (like PII) stored in S3. It does not scan EC2 instances for vulnerabilities or provide findings related to software security gaps.

This question is important because it tests knowledge of AWS security services and how to apply them effectively in a real-world incident response and recovery scenario. A helpful tip is to associate Inspector with host-based vulnerability scanning, GuardDuty with threat detection in logs and behaviors, Macie with S3 data sensitivity, and Shield with network-level protections.

The tricky part of this question is the presence of several AWS services that are security-related. Understanding each ones role is crucial. Only Amazon Inspector directly meets the need to scan EC2 instances for application or OS-level vulnerabilities and deliver detailed, actionable reports.

Full AWS Practitioner Certification Question