AWS SysOps Administrator Exam - Patching EC2 Instances | Exam Answer

Patching EC2 Instances with AWS Systems Manager Run Command

Prev Question Next Question

Question

You just manually run the "AWS-RunPatchBaseline" command in AWS Systems Manager Run Command.

The operation has identified dozens of EC2 instances that are out of compliance.

Your manager asks you to patch these instances within 2 days.

The patching must be done in a maintenance window.

Which of the following options is the most appropriate?

Answers

A. SSH to these instances and use “yum update” to install the latest patches.

B. Use the “Patch now” option in AWS Patch Manager to patch the instances in a maintenance window.

C. In Patch Manager of AWS Systems Manager, create a patching configuration to install patches in a maintenance window.

D. In a maintenance window, run the same "AWS-RunPatchBaseline" command in AWS Systems Manager Run Command and select the Operation to be “Scan”.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: C.

Option A is incorrect because the instances may be Windows servers; then, users cannot SSH to them or use the “yum update” command.

Option B is incorrect because although the “Patch now” option can update the compliance status of instances or install patches immediately, users cannot schedule a maintenance window in this option.

Option C is CORRECT because, in a patch configuration, you can specify a maintenance window and install the patches as the following snapshot:

Option D is incorrect because the Operation of the "AWS-RunPatchBaseline" command should be “Install” to install patches missing from the baseline.

Reference:

https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-remediate.html

Patching schedule

How do you want to specify a patching schedule?
© Select an existing Maintenance Window
Schedule in a new Maintenance Window
Skip scheduling and patch instances now

Maintenance Window
Select a Maintenance Window [4.

Patching operation

© Scan and install
Scans each target instance and compares its installed patches with the list of approved patches in the patch baseline. Downloads and installs all approved patches that are
missing from the instance.

Scan only
Scans each target instance and generates a list of missing patches for you to review.

The most appropriate option to patch the out of compliance EC2 instances within 2 days, in a maintenance window, is to use the "Patch now" option in AWS Patch Manager.

Option A is not the best choice because manually SSH'ing into each instance to run "yum update" is time-consuming, inefficient, and not scalable. Additionally, it is not ideal for ensuring consistency and tracking patching progress.

Option B is a good choice because it allows for quick patching of the instances within a maintenance window. AWS Patch Manager is a fully-managed service that makes it easy to patch your instances and maintain compliance. It provides pre-built patching options and also enables you to create custom patching baselines. Using the "Patch now" option allows you to patch the instances immediately, without having to wait for the next maintenance window.

Option C is also a good choice because it enables you to create a patching configuration to install patches in a maintenance window. This allows you to schedule patching at a convenient time for your organization and ensure consistency across all instances. However, it may take more time to set up compared to using the "Patch now" option in AWS Patch Manager.

Option D is not a good choice because selecting the "Scan" operation will only identify the instances that are out of compliance, but will not actually patch them. This will not meet the requirement of patching the instances within 2 days.

Prev Question Next Question