AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial services company needs to automate patching for a large fleet of Amazon EC2 instances running both Amazon Linux 2 and Windows Server across multiple AWS accounts managed with AWS Organizations. The company's security policy requires that all patches classified as "Critical" be applied to production systems within 7 days of their release. A mandatory testing policy dictates that all patches must be deployed to a pre-production environment and validated for at least 48 hours before being applied to any production systems. The solution must be highly automated and provide auditable compliance data.
Which strategy provides the most effective and resilient way to meet these requirements using AWS Systems Manager?
Configure two custom patch baselines. For the pre-production baseline, set the auto-approval rule for Critical patches with a 1-day delay. For the production baseline, set the same rule with a 4-day delay. Use instance tags to create 'Pre-production' and 'Production' patch groups and associate each baseline with its corresponding group. Schedule patching for each group using separate Maintenance Windows.
Create a single custom patch baseline with a 7-day auto-approval delay for Critical patches. Use a single Maintenance Window that targets all instances (pre-production and production) with the AWS-RunPatchBaseline document. Rely on the delay to provide the testing window.
Use Amazon Inspector to scan all instances for vulnerabilities. Configure an Amazon EventBridge rule to trigger an AWS Lambda function for each 'Critical' finding. The function will use SSM Run Command to apply the patch to pre-production instances, wait 48 hours, and then patch the production instances.
Configure a single patch baseline to auto-approve Critical patches after 1 day. Use a Maintenance Window to patch the pre-production environment. After 48 hours of validation, manually add an approval rule for the validated patches to a separate production baseline and run a second Maintenance Window for production.