AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 13

A company has deployed Amazon EC2 instances from custom Amazon Machine Images (AMIs) in two AWS Regions. The company registered all the instances with AWS Systems Manager.
The company discovers that the operating system on some instances has a significant zero-day exploit. However, the company does not know how many instances are affected.
A CloudOps engineer must implement a solution to deploy operating system patches for the affected EC2 instances.
Which solution will meet this requirement with the LEAST operational overhead?

Answer options

• A. Define a patch baseline in Systems Manager Patch Manager. Use a Patch Manager scan to identify the affected instances. Use the Patch Now option in each Region to update the affected instances.
• B. Use AWS Config to identify the affected instances. Define a patch baseline in Systems Manager Patch Manager. Use the Patch Now option in Patch Manager to update the affected instances.
• C. Create an Amazon EventBridge rule to react to Systems Manager Compliance events. Configure the EventBridge rule to run a patch baseline on the affected instances.
• D. Use AWS Config to identify the affected instances. Update the existing EC2 AMIs with the desired patch Manually launch instances from the new AMIs to replace the affected instances in both Regions.

Correct answer: A

Explanation

Option A is correct because it directly utilizes Systems Manager Patch Manager to scan for affected instances and apply patches, minimizing operational effort. Options B and D introduce unnecessary steps and complexity by involving AWS Config and AMI updates, while Option C requires additional configuration of EventBridge, which is not needed for this task.