A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches.
All instances/servers must be brought into compliance within 24 hours.
So they do not show up on the next day's report.
How can the security team fulfill these requirements?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option A is incorrect because AWS CloudTrail is used to monitor API calls and does not generate reports for non-compliant servers.
Option B is CORRECT because AWS Systems Manager Patch Manager can be used to generate the patch reports and install the missing patches.
Option C is incorrect because deploying the latest AMIs will affect the applications and systems running on these systems.
Option D is incorrect because AWS Trusted Advisor cannot be used to generate reports for non-compliant servers.
AWS Documentation mentions the following.
AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates.
For Linux-based instances, you can also install patches for non-security updates.
You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type.
You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.
For more information on the AWS Patch Manager, please visit the below URL:
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html.The correct answer to this question is option B. The security team can use AWS Systems Manager Patch Manager to generate a report of out-of-compliance instances and servers and use the same tool to install the missing security patches.
AWS Systems Manager is a management service that helps in automating the operational tasks of EC2 instances and on-premises servers. It simplifies the process of patching, managing, and automating operational tasks at scale.
Patch Manager, a feature of AWS Systems Manager, helps in automating the process of patching Windows and Linux instances in a network. It simplifies the process of patching, managing, and automating operational tasks at scale.
Here are the reasons why Option B is the correct answer:
A. Amazon QuickSight is a business analytics service that helps in creating visualizations, performing ad-hoc analysis, and generating reports. While it is possible to use QuickSight and CloudTrail to generate a report of out-of-compliance instances and servers, it does not provide a way to install the missing security patches. Additionally, redeploying instances using an AMI with the latest patches is a time-consuming process that can take more than 24 hours.
B. Systems Manager Patch Manager is the best tool for generating the report of out-of-compliance instances and servers, as well as installing the missing patches. It provides an easy and automated way to patch instances and servers, and also includes a dashboard to view patch compliance across the fleet.
C. While it is possible to redeploy instances using an AMI with the latest patches, it is a time-consuming process that can take more than 24 hours. Additionally, it does not provide a way to verify that all instances are patched and up to date.
D. Trusted Advisor is a service that provides real-time guidance to help optimize AWS resources, improve security and performance, and reduce costs. While it can help in generating a report of out-of-compliance instances and servers, it does not provide a way to install the missing patches.
In conclusion, option B is the correct answer as it provides an easy and automated way to generate the report of out-of-compliance instances and servers and install the missing patches using AWS Systems Manager Patch Manager.