CLF-C02: Which solution automate security updates for OS and app with the LEAST operational effort

Question

A company has an environment that includes Amazon EC2 instances, Amazon Lightsail, and on-premises servers. The company wants to automate the security updates for its operating systems and applications. Which solution will meet these requirements with the LEAST operational effort?

A. Use AWS Shield to identify and manage security events.
B. Connect to each server by using a remote desktop connection. Run an update script.
C. Use the AWS Systems Manager Patch Manager capability.
D. Schedule Amazon GuardDuty to run on a nightly basis.

Answer

C. Use the AWS Systems Manager Patch Manager capability.

Explanation

The option that will meet the company’s requirements with the least operational effort is C. Use the AWS Systems Manager Patch Manager capability.

AWS Systems Manager Patch Manager is a service that helps automate the process of patching Amazon EC2 instances and on-premises servers. It allows you to automate the management of operating system and software updates across your environment, including EC2 instances, Amazon Lightsail, and on-premises servers.

By using AWS Systems Manager Patch Manager, you can define patch baselines that specify the approved patches for your environment. You can then schedule automatic patching at a convenient time, such as during maintenance windows or off-peak hours. Patch Manager will ensure that the specified patches are applied to the instances and servers in your environment.

This option requires the least operational effort because Patch Manager automates the patching process and eliminates the need for manual intervention on each server. Once the patch baselines are set up and the automatic patching schedule is configured, the process runs automatically, reducing the administrative burden.

Let’s compare this option with the other options to understand why it is the most suitable for the company’s requirements:

A. Using AWS Shield to identify and manage security events is applicable for protecting against distributed denial of service (DDoS) attacks. While it is essential for security, it does not address the automation of security updates for operating systems and applications. Therefore, it is not the most appropriate solution for the company’s requirement.

B. Connecting to each server using a remote desktop connection and running an update script manually is a time-consuming and error-prone process. It requires manual effort to log in to each server individually and execute the update script. This approach is not scalable and does not provide efficient automation, making it unsuitable for the company’s requirement.

D. Scheduling Amazon GuardDuty to run on a nightly basis is a good practice for monitoring security threats, but it does not directly address the automation of security updates. GuardDuty is a threat detection service that analyzes logs and network traffic to identify potential security issues. While it is a valuable security tool, it does not fulfill the requirement of automating security updates for operating systems and applications.

In conclusion, the most suitable option for the company to automate security updates for its operating systems and applications with the least operational effort is C. Use the AWS Systems Manager Patch Manager capability.

Reference

• AWS Systems Manager Patch Manager – AWS Systems Manager (amazon.com)
• How patches are installed – AWS Systems Manager (amazon.com)
• AWS Systems ManagerPatch Manager tutorials – AWS Systems Manager (amazon.com)

Amazon AWS Certified Cloud Practitioner certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Cloud Practitioner exam and earn Amazon AWS Certified Cloud Practitioner certification.