AWS Certified SysOps Administrator – Associate — Question 416

A SysOps administrator is using AWS Systems Manager Patch Manager to patch a fleet of Amazon EC2 instances. The SysOps administrator has configured a patch baseline and a maintenance window. The SysOps administrator also has used an instance tag to identify which instances to patch.
The SysOps administrator must give Systems Manager the ability to access the EC2 instances.
Which additional action must the SysOps administrator perform to meet this requirement?

Answer options

• A. Add an inbound rule to the instances' security group.
• B. Attach an IAM instance profile with access to Systems Manager to the instances.
• C. Create a Systems Manager activation. Then activate the fleet of instances.
• D. Manually specify the instances to patch instead of using tag-based selection.

Correct answer: B

Explanation

To allow Systems Manager to interact with EC2 instances, the instances must be granted the appropriate AWS Identity and Access Management (IAM) permissions via an IAM instance profile (typically using the AmazonSSMManagedInstanceCore policy). Inbound security group rules are unnecessary because the SSM Agent establishes an outbound connection to the Systems Manager service. Systems Manager activations are designed for on-premises or hybrid servers, and changing the target selection method from tags to manual does not resolve the underlying permission requirement.