AWS Certified Solutions Architect – Associate (SAA-C03) — Question 314

A security audit reveals that Amazon EC2 instances are not being patched regularly. A solutions architect needs to provide a solution that will run regular security scans across a large fleet of EC2 instances. The solution should also patch the EC2 instances on a regular schedule and provide a report of each instance’s patch status.

Which solution will meet these requirements?

Answer options

• A. Set up Amazon Macie to scan the EC2 instances for software vulnerabilities. Set up a cron job on each EC2 instance to patch the instance on a regular schedule.
• B. Turn on Amazon GuardDuty in the account. Configure GuardDuty to scan the EC2 instances for software vulnerabilities. Set up AWS Systems Manager Session Manager to patch the EC2 instances on a regular schedule.
• C. Set up Amazon Detective to scan the EC2 instances for software vulnerabilities. Set up an Amazon EventBridge scheduled rule to patch the EC2 instances on a regular schedule.
• D. Turn on Amazon Inspector in the account. Configure Amazon Inspector to scan the EC2 instances for software vulnerabilities. Set up AWS Systems Manager Patch Manager to patch the EC2 instances on a regular schedule.

Correct answer: D

Explanation

Amazon Inspector is the native AWS service designed to automatically discover and scan Amazon EC2 instances for software vulnerabilities. AWS Systems Manager Patch Manager automates the process of installing security-related and other types of patches on EC2 instances on a schedule, while also providing compliance reports. Other services like Amazon Macie (sensitive data discovery), Amazon GuardDuty (threat detection), and Amazon Detective (security investigation) do not support software vulnerability scanning or patch management.