AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
A company uses Amazon Inspector to continuously scan its Amazon EC2 instances for software vulnerabilities. The security team must ensure that any critical Inspector finding automatically triggers operating-system patching on the affected instance without manual intervention. Which approach will meet this requirement while following AWS best practices?
Create an Amazon EventBridge rule that matches Inspector findings with severityLabel set to CRITICAL and targets the AWS Systems Manager Automation runbook AWS-RunPatchBaseline to patch the impacted instance.
Create an AWS Config managed rule that evaluates EC2 patch compliance and sets an automatic remediation action to install missing patches whenever Inspector reports a critical vulnerability.
Define a Systems Manager Patch Manager maintenance window that runs daily and enable Inspector scans on the same schedule, relying on the maintenance window to patch any instances with new critical findings.
Configure Amazon Inspector to publish findings to an SNS topic, then subscribe each EC2 instance to the topic so the instance runs yum update or apt-get upgrade when it receives a notification.
Amazon Inspector publishes every finding to Amazon EventBridge. Creating an EventBridge rule that filters for findings where severityLabel equals CRITICAL allows the company to respond only to the most severe issues. The rule can invoke an AWS Systems Manager Automation runbook such as AWS-RunPatchBaseline, which applies the latest approved patches by using Patch Manager on the targeted instance. This provides an automated, scalable remediation path.
The other options do not meet the requirement:
Sending findings to SNS and relying on a Lambda function or the instance itself to subscribe lacks a direct, managed patching workflow and adds unnecessary components.
AWS Config rules cannot directly consume Inspector findings for patch remediation without custom aggregation logic.
Scheduling a maintenance window alone will not act on new critical findings immediately, and Inspector does not automatically trigger Patch Manager through maintenance windows.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon Inspector and how does it work?
Open an interactive chat with Bash
How does EventBridge integrate with Amazon Inspector to automate processes?
Open an interactive chat with Bash
What is the AWS Systems Manager Automation runbook AWS-RunPatchBaseline?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Security and Compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .