AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A security audit reveals that Amazon EC2 instances are not being patched regularly. A solutions architect needs to provide a solution that will run regular security scans across a large fleet of EC2 instances. The solution should also patch the EC2 instances on a regular schedule and provide a report of each instance's patch status.
Which solution will meet these requirements?
Other
Community
UAnonymous
A
Set up Amazon Macie to scan the EC2 instances for software vulnerabilities. Set up a cron job on each EC2 instance to patch the instance on a regular schedule.
B
Turn on Amazon GuardDuty in the account. Configure GuardDuty to scan the EC2 instances for software vulnerabilities. Set up AWS Systems Manager Session Manager to patch the EC2 instances on a regular schedule.
C
Set up Amazon Detective to scan the EC2 instances for software vulnerabilities. Set up an Amazon EventBridge scheduled rule to patch the EC2 instances on a regular schedule.
D
Turn on Amazon Inspector in the account. Configure Amazon Inspector to scan the EC2 instances for software vulnerabilities. Set up AWS Systems Manager Patch Manager to patch the EC2 instances on a regular schedule.
Explanation:
Explanation
Correct Answer: D
Why Option D is correct:
- Amazon Inspector is specifically designed for vulnerability assessment and security scanning of EC2 instances. It can automatically discover EC2 instances and assess them for software vulnerabilities, network exposure, and security best practices.
- AWS Systems Manager Patch Manager is the proper AWS service for automating the patching of EC2 instances. It can patch instances on a schedule, maintain patch compliance, and generate reports on patch status.
- Together, these services provide a complete solution: Inspector for vulnerability scanning and Patch Manager for automated patching and reporting.
Why other options are incorrect:
A. Amazon Macie + cron jobs:
- Amazon Macie is for discovering and protecting sensitive data (PII), not for vulnerability scanning of EC2 instances.
- Using cron jobs on each instance is not scalable for large fleets and doesn't provide centralized reporting.
B. Amazon GuardDuty + Session Manager:
- Amazon GuardDuty is a threat detection service that analyzes CloudTrail, VPC Flow Logs, and DNS logs, not a vulnerability scanner for EC2 software.
- Session Manager is for secure shell access to instances, not for automated patching.
C. Amazon Detective + EventBridge:
- Amazon Detective is for security incident investigation and analysis, not for vulnerability scanning.
- EventBridge can trigger events but doesn't have built-in patching capabilities.
Key AWS Services for this scenario:
- Amazon Inspector: Automated security assessment service for EC2 instances
- AWS Systems Manager Patch Manager: Automated patching and compliance reporting
- AWS Systems Manager State Manager: Can maintain patch compliance state
- AWS Systems Manager Automation: Can automate patching workflows
Best Practice: For enterprise-scale patch management, use AWS Systems Manager with Patch Manager for automated patching and compliance reporting, combined with Amazon Inspector for continuous vulnerability assessment.
Comments
Loading comments...