AWS Certified Solutions Architect – Professional — Question 313

A company is using an existing orchestration tool to manage thousands of Amazon EC2 instances. A recent penetration test found a vulnerability in the company's software stack. This vulnerability has prompted the company to perform a full evaluation of its current production environment. The analysis determined that the following vulnerabilities exist within the environment:
✑ Operating systems with outdated libraries and known vulnerabilities are being used in production.
✑ Relational databases hosted and managed by the company are running unsupported versions with known vulnerabilities.
✑ Data stored in databases is not encrypted.
The solutions architect intends to use AWS Config to continuously audit and assess the compliance of the company's AWS resource configurations with the company's policies and guidelines.
What additional steps will enable the company to secure its environments and track resources while adhering to best practices?

Answer options

• A. Use AWS Application Discovery Service to evaluate all running EC2 instances Use the AWS CLI to modify each instance, and use EC2 user data to install the AWS Systems Manager Agent during boot. Schedule patching to run as a Systems Manager Maintenance Windows task. Migrate all relational databases to Amazon RDS and enable AWS KMS encryption.
• B. Create an AWS CloudFormation template for the EC2 instances. Use EC2 user data in the CloudFormation template to install the AWS Systems Manager Agent, and enable AWS KMS encryption on all Amazon EBS volumes. Have CloudFormation replace all running instances. Use Systems Manager Patch Manager to establish a patch baseline and deploy a Systems Manager Maintenance Windows task to execute AWS-RunPatchBaseline using the patch baseline.
• C. Install the AWS Systems Manager Agent on all existing instances using the company's current orchestration tool. Use the Systems Manager Run Command to execute a list of commands to upgrade software on each instance using operating system-specific tools. Enable AWS KMS encryption on all Amazon EBS volumes.
• D. Install the AWS Systems Manager Agent on all existing instances using the company's current orchestration tool. Migrate all relational databases to Amazon RDS and enable AWS KMS encryption. Use Systems Manager Patch Manager to establish a patch baseline and deploy a Systems Manager Maintenance Windows task to execute AWS-RunPatchBaseline using the patch baseline.

Correct answer: D

Explanation

Option D is correct because it addresses the database vulnerabilities and encryption requirements by migrating to Amazon RDS with AWS KMS encryption, while using the existing orchestration tool to deploy the AWS Systems Manager Agent. It also properly automates OS patching utilizing Systems Manager Patch Manager and Maintenance Windows. Other options are incorrect because they either fail to address the database migration requirement, rely on manual update commands, or use AWS Application Discovery Service unnecessarily.