ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A company runs its public-facing web application on an Auto Scaling group of Amazon Linux 2 EC2 instances behind an Application Load Balancer. The security team requires that critical OS security patches reach all web-tier instances within 48 hours of AWS release. Operations wants minimal downtime and administration. Which approach best fulfills these needs?
Enable Amazon Inspector Classic assessments and turn on automatic remediation so that findings trigger patch installation on the affected instances.
Rely on Amazon EC2 Auto Recovery to restart failed instances from the existing AMI, ensuring the fleet remains healthy without additional patching processes.
Configure AWS Systems Manager Patch Manager with a security-only patch baseline, tag the Auto Scaling instances with PatchGroup=WebTier, and schedule a maintenance window to apply patches within 48 hours of release.
Create a weekly AWS Lambda function that uses SSH to run yum update and reboot each EC2 instance immediately after the command completes.
AWS Systems Manager Patch Manager integrates with the SSM agent that is pre-installed on Amazon Linux 2 AMIs. By defining a patch baseline that includes only critical and security updates and associating the web-tier instances through tags such as PatchGroup=WebTier, administrators can schedule an automated maintenance window that applies patches within any required timeframe (for example, within 48 hours). Patch Manager handles downloading, installing, and, if configured, rebooting instances in a phased manner, which minimizes service disruption and removes the need for custom scripting.
Running a periodic Lambda function that connects over SSH increases operational overhead, does not scale well with Auto Scaling, and complicates credential management. Amazon Inspector identifies vulnerabilities but does not perform patch installation, so it cannot by itself meet the 48-hour remediation objective. EC2 Auto Recovery restarts the same instance on new hardware after failure; it does not rebuild instances with updated software, leaving them unpatched. Therefore, leveraging Systems Manager Patch Manager with maintenance windows is the most effective solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Systems Manager Patch Manager?
Open an interactive chat with Bash
How does tagging work with PatchGroup in AWS Systems Manager?
Open an interactive chat with Bash
Why is Auto Scaling incompatible with manual patching via AWS Lambda?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .