AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A finance company operates 1,500 Linux and Windows production EC2 instances that span ten AWS accounts and multiple Regions in the same AWS Organizations structure. Corporate security policy mandates that any operating-system patch classified as security-critical must be installed on production servers within 48 hours of vendor release. Auditors also require a single, centrally accessible report that shows the patch-compliance status of all instances across every account. The cloud-operations team wants the solution to enforce the patching standard automatically, avoid custom code, and add as little administrative overhead as possible.
Which approach meets these requirements?
Create a weekly EC2 Image Builder pipeline that produces patched golden AMIs, use AWS CodeDeploy blue/green deployments to replace Auto Scaling groups in each account, and rely on an AWS Config aggregator to demonstrate patch compliance.
In every account tag production instances with PatchGroup=Prod, create a Systems Manager maintenance window that runs the AWS-RunPatchBaseline document, export each account's CSV compliance report to an S3 bucket, and manually merge the reports with Amazon Athena for auditors.
Enable Amazon Inspector across all accounts to detect critical vulnerabilities, trigger an EventBridge rule that invokes a Lambda function to run Run Command and install patches, and use AWS Security Hub to aggregate findings for compliance reporting.
Configure an AWS Systems Manager Quick Setup patch policy in a delegated administrator account for AWS Organizations. Create a custom patch baseline that auto-approves security and critical patches with no delay, set the install schedule so patches are applied within 48 hours, and enable Systems Manager Explorer with a resource data sync that sends compliance data from all member accounts to a centralized Amazon S3 bucket.