AWS Certified Security – Specialty — Question 405

A company uses Amazon EC2 Linux instances in the AWS Cloud. A member of the company’s security team recently received a report about common vulnerability identifiers on the instances.

A security engineer needs to verify patching and perform remediation if the instances do not have the correct patches installed. The security engineer must determine which EC2 instances are at risk and must implement a solution to automatically update those instances with the applicable patches.

What should the security engineer do to meet these requirements?

Answer options

• A. Use AWS Systems Manager Patch Manager to view vulnerability identifiers for missing patches on the instances. Use Patch Manager also to automate the patching process.
• B. Use AWS Shield Advanced to view vulnerability identifiers for missing patches on the instances. Use AWS Systems Manager Patch Manager to automate the patching process.
• C. Use Amazon GuardDuty to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector to automate the patching process.
• D. Use Amazon Inspector to view vulnerability identifiers for missing patches on the instances. Use Amazon Inspector also to automate the patching process.

Correct answer: A

Explanation

AWS Systems Manager Patch Manager is the correct service for both identifying missing patches (including CVE vulnerability identifiers) and automating the deployment of those patches to Amazon EC2 instances. While Amazon Inspector can detect vulnerabilities, it does not have native capabilities to perform automated patch remediation. AWS Shield Advanced and Amazon GuardDuty are designed for DDoS protection and threat detection respectively, and do not handle patch management or patch scanning.