AWS Certified SysOps Administrator – Associate (legacy) — Question 503

A security researcher has published a new Common Vulnerabilities and Exposures (CVE) report that impacts a popular operating system. A SysOps Administrator is concerned with the new CVE report and wants to patch the company's systems immediately. The administrator contacts AWS Support and requests the patch be applied to all Amazon EC2 instances.
How will AWS respond to this request?

Answer options

• A. AWS will apply the patch during the next maintenance window, and will provide the Administrator with a report of all patched EC2 instances.
• B. AWS will relaunch the EC2 instances with the latest version of the Amazon Machine Image (AMI), and will provide the Administrator with a report of all patched EC2 instances.
• C. AWS will research the vulnerability to see if the Administrator's operating system is impacted, and will patch the EC2 instances that are affected.
• D. AWS will review the shared responsibility model with the Administrator and advise them regarding how to patch the EC2 instances.

Correct answer: D

Explanation

Under the AWS Shared Responsibility Model, AWS is responsible for the security 'of' the cloud, while the customer is responsible for security 'in' the cloud, which includes maintaining and patching the guest operating system on Amazon EC2 instances. Therefore, AWS Support will not access or patch the customer's EC2 instances directly and will instead direct the administrator to perform the patching themselves, potentially using AWS Systems Manager Patch Manager. Options A, B, and C are incorrect because they violate this boundary of responsibility by suggesting AWS manages guest OS patching for EC2.