AWS Certified Security – Specialty (SCS-C02) — Question 158
A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all Amazon EC2 instances for all the accounts in the organization.
A central account provides base AMIs for the EC2 instances. The company uses AWS Systems Manager for software inventory and patching operations.
A security engineer must implement a solution that detects EC2 instances that do not have the required software. The solution also must automatically install the software if the software is not present.
Which solution will meet these requirements?
Answer options
- A. Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.
- B. Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.
- C. Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts. Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.
- D. Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.
Correct answer: C
Explanation
The correct answer is C because it effectively utilizes AWS Config to monitor the presence of required software and automates the installation process via an EventBridge rule and AWS Lambda function. Option A fails to ensure instances are updated automatically, while Option B is limited to patching, and Option D does not provide a method for ongoing monitoring and automatic remediation.