Question #1348
A security audit identifies that EC2 instances are missing critical operating system updates. A solutions architect must design a solution to automate vulnerability assessments and apply necessary patches across hundreds of EC2 instances. The solution must also generate compliance reports detailing each instance’s patch status. Which approach fulfills these requirements?
Configure Amazon Macie to perform vulnerability scans on EC2 instances. Use AWS Lambda to trigger patching via SSM documents on a recurring schedule.
Enable Amazon GuardDuty to detect vulnerabilities in EC2 instances. Schedule patching operations using AWS Systems Manager Maintenance Windows.
Implement Amazon Detective to identify vulnerabilities. Create an Amazon EventBridge rule to execute AWS Systems Manager Run Command for patching.
Enable Amazon Inspector to conduct vulnerability assessments. Utilize AWS Systems Manager Patch Manager to automate patching and generate compliance reports.
Explanation
Answer D is correct because:
1. Amazon Inspector is specifically designed for automated vulnerability assessments on EC2 instances, identifying missing OS updates.
2. AWS Systems Manager Patch Manager automates patch deployment across EC2 instances and provides detailed compliance reports, meeting the audit and reporting requirements.
Other options are incorrect because:
- A: Amazon Macie focuses on data security and sensitive data discovery, not OS vulnerability scans.
- B: Amazon GuardDuty detects threats like malicious activity but does not handle OS patch management or compliance reporting.
- C: Amazon Detective analyzes security events but does not perform vulnerability assessments or patch automation.
Key Points: Use Amazon Inspector for vulnerability scanning and Patch Manager for automated patching/compliance reporting. Avoid conflating security services with unrelated purposes (e.g., Macie/GuardDuty/Detective).
Answer
The correct answer is: D