AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 308

A company that uses electronic patient health records runs a fleet of Amazon EC2 instances with an Amazon Linux operating system. The company must continuously ensure that the EC2 instances are running operating system patches and application patches that are in compliance with current privacy regulations. The company uses a custom repository to store application patches.

A DevOps engineer needs to automate the deployment of operating system patches and application patches. The DevOps engineer wants to use both the default operating system patch repository and the custom patch repository.

Which solution will meet these requirements with the LEAST effort?

Answer options

• A. Use AWS Systems Manager to create a new custom patch baseline that includes the default operating system repository and the custom repository. Run the AWS-RunPatchBaseline document by using the Run command to verify and install patches. Use the BaselineOverride API to configure the new custom patch baseline.
• B. Use AWS Direct Connect to integrate the custom repository with the EC2 instances. Use Amazon EventBridge events to deploy the patches.
• C. Use the yum-config-manager command to add the custom repository to the /etc/yum.repos.d configuration. Run the yum-config-manager-enable command to activate the new repository.
• D. Use AWS Systems Manager to create a patch baseline for the default operating system repository and a second patch baseline for the custom repository. Run the AWS-RunPatchBaseline document by using the Run command to verify and install patches. Use the BaselineOverride API to configure the default patch baseline and the custom patch baseline.

Correct answer: A

Explanation

AWS Systems Manager Patch Manager allows you to specify alternative patch repositories inside a single custom patch baseline, enabling the installation of both default OS and custom application patches. Using the AWS-RunPatchBaseline SSM document along with the BaselineOverride API allows you to easily enforce this unified patch baseline on the EC2 instances. Option D is incorrect because Patch Manager only allows one patch baseline to be applied per execution, meaning you cannot override and run two separate baselines simultaneously.