A security team must present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches.
All instances/servers must be brought into compliance within 24 hours so they do not show up on the next day's report.
How can the security team fulfill these requirements?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer is B.
Option A is incorrect because AWS CloudTrail is used to monitor all API calls and not generate reports for non-compliant instances.
Option B is CORRECT because Systems Manager Patch Manager is used to generate the reports for non-compliant instances and install the respective missing patches on these machines.
Option C is incorrect because re-deploying with the latest AMI's will affect the existing applications and systems running on these instances.
Option D is incorrect because AWS Trusted Advisor is used for optimizing our cloud environment and does not provide options to generate reports for our non-compliant instances.
The AWS Documentation for Systems Manager provides the following key information:
AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates.
For Linux-based instances, you can also install patches for non-security updates.
You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type.
This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Amazon Linux.
You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.
For more information on the AWS Systems Manager, please refer the below URL:
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.htmlThe correct answer to the question is B. Use Systems Manager Patch Manager to generate the report of out of compliance instances/ servers. Use Systems Manager Patch Manager to install the missing patches.
Explanation: To fulfill the requirement of presenting a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches, the security team needs to use a tool that can track and report on patch compliance across all servers, both on-premises and in the cloud.
The most appropriate tool for this task is AWS Systems Manager Patch Manager. This tool enables the security team to automate the process of patching servers, so they remain up-to-date with the latest security patches. Using Patch Manager, the team can create a patch baseline that defines which patches should be installed on which servers, and then track compliance against that baseline.
To generate a report of out of compliance instances/servers, the security team can use Patch Manager to run a patch compliance scan across all servers. Patch Manager will generate a report that shows which servers are missing patches, which patches are missing, and which servers are already compliant. The team can then present this report to the CISO as part of their daily briefing.
Once the security team has identified which servers are out of compliance, they can use Patch Manager to install the missing patches. Patch Manager provides a range of automation options for patch deployment, including the ability to schedule patches during a maintenance window, patch individual servers, or patch groups of servers based on tags or other attributes.
Using Systems Manager Patch Manager, the security team can fulfill the requirement to present a daily briefing to the CISO that includes a report of which of the company's thousands of EC2 instances and on-premises servers are missing the latest security patches. They can also bring all instances/servers into compliance within 24 hours so they do not show up on the next day's report.