AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial-services company operates hundreds of Amazon EC2 instances that are registered with AWS Systems Manager. Amazon Inspector is enabled to perform continuous vulnerability scanning. Security policy states that every software vulnerability with a severity of HIGH or CRITICAL must be remediated automatically as soon as it is detected. The solution must:
Patch only the affected instance, not the entire fleet.
Keep a detailed, tamper-resistant execution record for auditors.
Minimize ongoing operational overhead and follow the principle of least privilege.
Which approach satisfies these requirements?
Create an AWS Config custom rule that evaluates EC2 instances for missing patches. When the rule is NON_COMPLIANT, invoke a Lambda function that runs EC2 Run Command to install all available patches on every EC2 instance in the account.
Enable Amazon GuardDuty and configure an EventBridge rule to trigger an AWS Lambda function that stops the affected EC2 instance and replaces it with a patched AMI that is rebuilt nightly.
Create an Amazon EventBridge rule that matches Inspector findings with severity HIGH or CRITICAL and status ACTIVE. Set the target to an AWS Systems Manager Automation runbook that invokes the AWS-RunPatchBaseline document on the instance ID from the finding, and enable CloudWatch Logs for the Automation execution.
Integrate Amazon Inspector with AWS Security Hub and forward findings to an SNS topic that emails the operations team, who then run AWS-RunPatchBaseline manually on each affected instance.
The recommended solution connects Amazon Inspector findings to AWS Systems Manager Automation through Amazon EventBridge. When a HIGH or CRITICAL finding is emitted, EventBridge passes the affected instance ID to a runbook that executes AWS-RunPatchBaseline. Patch Manager installs only the missing updates on that instance, and Automation automatically records every step; the execution logs can be streamed to CloudWatch Logs for audit and troubleshooting. This design is fully managed, requires no manual triage, and scopes permissions and remediation to the single vulnerable instance.
The GuardDuty-based option addresses threat detection, not software-vulnerability remediation, and replaces rather than patches instances. The Security Hub and email workflow still depends on human action, so remediation is not automated. The AWS Config custom rule patches all instances whenever any failure is detected, violating the least-privilege requirement and creating unnecessary operational load.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does Amazon EventBridge integrate with AWS Systems Manager?
Open an interactive chat with Bash
What is AWS Systems Manager Automation, and how does it help in patch management?
Open an interactive chat with Bash
Why is Amazon Inspector used for vulnerability scanning in this solution?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Continuous Improvement for Existing Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access