ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your team manages a fleet of Linux web servers running in an IaaS cloud auto-scaling group that can add and remove instances at any time. A critical kernel vulnerability has been announced. To keep the fleet compliant with corporate baseline requirements while avoiding service downtime, which patch-management strategy should you implement first?
Create a new hardened machine image that contains the kernel patch and perform a rolling replacement of all instances in the auto-scaling group.
Rely on the cloud provider's host-level patching; no action is needed because the underlying hypervisor will be updated automatically.
Open an emergency maintenance window, SSH to every running instance, run the package manager to install the patch, and then reboot each server in sequence.
Temporarily raise the auto-scaling group's maximum size, run a remote patching script on the original instances, and then scale back down when finished.
In an elastic IaaS environment the preferred way to apply operating-system patches is to follow an immutable infrastructure pattern:
Build a new golden image (for example, a new AMI in AWS or a managed image in Azure) that already includes the approved kernel patch.
Use the auto-scaling or deployment service to perform a rolling replacement, gradually launching the new, patched instances and terminating the old ones. This method keeps every instance at a known, validated state, supports automated compliance scanning before release, and eliminates the risk and downtime associated with in-place patching. Connecting to each live instance to run package updates or running scripts against pets instead of cattle increases operational effort and leaves room for configuration drift. Simply enabling IDS does not remediate the vulnerability, and temporarily increasing capacity while patching in place still exposes customers to risk during the process.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does an immutable infrastructure pattern work in cloud environments?
Open an interactive chat with Bash
What is a rolling replacement, and how does it avoid downtime?
Open an interactive chat with Bash
What are the risks of in-place patching compared to creating new machine images?
Open an interactive chat with Bash
What is an immutable infrastructure pattern?
Open an interactive chat with Bash
Why is building a golden image preferred in patch management for cloud environments?
Open an interactive chat with Bash
What is a rolling replacement in a cloud auto-scaling group?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Security Operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .