AWS Certified Security – Specialty — Question 102

For compliance reasons, a Security Engineer must produce a weekly report that lists any instance that does not have the latest approved patches applied. The
Engineer must also ensure that no system goes more than 30 days without the latest approved updates being applied.
What would be the MOST efficient way to achieve these goals?

Answer options

• A. Use Amazon Inspector to determine which systems do not have the latest patches applied, and after 30 days, redeploy those instances with the latest AMI version.
• B. Configure Amazon EC2 Systems Manager to report on instance patch compliance, and enforce updates during the defined maintenance windows.
• C. Examine AWS CloudTrail logs to determine whether any instances have not restarted in the last 30 days, and redeploy those instances.
• D. Update the AMIs with the latest approved patches, and redeploy each instance during the defined maintenance window.

Correct answer: B

Explanation

The correct answer is B because Amazon EC2 Systems Manager provides a centralized way to manage patch compliance and can enforce updates, ensuring that instances are regularly updated. Option A relies on redeploying instances after 30 days, which is less efficient. Option C does not focus on patch compliance, and option D involves a manual process of updating AMIs, which isn't as effective as using Systems Manager.