Practice Question: How to find insecure server protocols

Company policy requires that all insecure server protocols, such as FTP, Telnet, Http, etc, be disabled on all the servers. The security team would like to regularly check whether all the servers to ensure compliance with this requirements by using a scheduled Cloud Watch event to trigger a review of the current infrastructure

What process will check compliance of the company’s EC2 instance?

A) Trigger an AWS Config Rules evaluation of the restricted-common-ports rule against every EC2 instance

B) Query the Trusted Advisor API for all best Practice security checks and check for "action recommended" status

C) Enable a GuardDuty threat detection analysis targeting the port configuration on every EC2 instance

D) Run an Amazon Inspector assessment using the Runtime Behavior Analysis rules package against every EC2 instance

My two cents:

A. Looks ok since you can define the rule to scan insecure ports in Cloud Config

https://docs.aws.amazon.com/config/latest/developerguide/restricted-common-ports.html

B. Trust Advisor also provide scan on the secure group. Not sure whether it covers all risk ports

C. GuardDuty can do port scan as well

D. Inspector has a rule: Insecure Server Protocols. 

This rule helps determine whether your EC2 instances allow support for insecure and unencrypted ports/ services such as FTP, Telnet, HTTP, IMAP, POP version 3, SMTP, SNMP versions 1 and 2, rsh, and rlogin.

https://docs.aws.amazon.com/inspector/latest/userguide/inspector-ug.pdf

It looks D is most closed to the answer but A, B, C also can meet the goal. So I really don’t know which one to choose. Please let me know your thoughts