Which AWS service continuously scans EC2 instances for software vulnerabilities and network exposure?

The correct choice is Amazon Inspector because it is specifically designed to continuously assess and analyze the security vulnerabilities and network exposure of Amazon EC2 instances. Amazon Inspector examines the running configuration of EC2 instances, including the installed software and configurations, to identify potential security issues based on established best practices and compliance requirements.

It automates the process of evaluating applications for vulnerabilities, providing detailed findings and recommendations on how to remediate issues. This focus on vulnerability management is what sets Amazon Inspector apart as the optimal service for this purpose compared to other AWS services. For instance, Amazon GuardDuty is more focused on threat detection and monitoring for malicious activity across the AWS account, while AWS Trusted Advisor offers insights on service limits and best practices but does not perform continuous vulnerability scanning. AWS Step Functions, on the other hand, is primarily a serverless orchestration service for building complex workflows, unrelated to security scanning.