AWS Certified Solutions Architect – Associate (SAA-C03) — Question 682

A company has applications that run on Amazon EC2 instances. The EC2 instances connect to Amazon RDS databases by using an IAM role that has associated policies. The company wants to use AWS Systems Manager to patch the EC2 instances without disrupting the running applications.

Which solution will meet these requirements?

Answer options

• A. Create a new IAM role. Attach the AmazonSSMManagedInstanceCore policy to the new IAM role. Attach the new IAM role to the EC2 instances and the existing IAM role.
• B. Create an IAM user. Attach the AmazonSSMManagedInstanceCore policy to the IAM user. Configure Systems Manager to use the IAM user to manage the EC2 instances.
• C. Enable Default Host Configuration Management in Systems Manager to manage the EC2 instances.
• D. Remove the existing policies from the existing IAM role. Add the AmazonSSMManagedInstanceCore policy to the existing IAM role.

Correct answer: C

Explanation

Enabling Default Host Configuration Management (DHCM) allows AWS Systems Manager to manage EC2 instances automatically without requiring modifications to the existing instance IAM roles, thereby preserving the applications' access to Amazon RDS. Modifying the existing IAM role by removing policies would break the database connection, and EC2 instances cannot have multiple IAM roles attached simultaneously. Using an IAM user is not a valid method for Systems Manager instance management.