AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct approach is to use a combination of AWS Systems Manager State Manager and Patch Manager. State Manager is specifically designed to maintain a consistent configuration state, making it ideal for enforcing CIS benchmarks and automatically remediating configuration drift. Patch Manager is the dedicated feature for automating the application of security patches according to defined baselines and schedules. Both services report their status to AWS Systems Manager Compliance, which provides a unified view for auditing. This integrated solution works for both EC2 and on-premises servers, does not require open inbound ports, and scales to manage a large fleet effectively.

Using AWS Systems Manager Run Command is less effective because it is designed for ad-hoc or one-time command execution, not for continuously enforcing a desired state. While it could apply settings, it would not automatically detect and remediate configuration drift like State Manager does.

Using AWS Config with Lambda functions is a plausible but less direct approach. AWS Config is primarily a detective control used for auditing and recording configuration changes. While it can trigger remediation actions (often using SSM Automation), the primary tools for applying and managing the state and patches are State Manager and Patch Manager, not Config itself.

Using AWS CloudFormation StackSets with an external tool like Ansible creates unnecessary complexity. CloudFormation is best suited for initial resource provisioning, not ongoing configuration management of a running fleet. Integrating a separate tool like Ansible adds management overhead when Systems Manager provides a fully native and integrated solution for the entire task.