Mitigating Known Vulnerability in Amazon EC2 Fleet | SysOps Administrator's Guide

Best Approach to Mitigate Known Vulnerability in Amazon EC2 Fleet

Question

During a security audit, a known vulnerability was discovered in the guest OS of the organization's large Amazon EC2 fleet.

A SysOps Administrator must ensure that this vulnerability is mitigated on time. What is the MOST efficient way for the Administrator to accomplish this task?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B.

The AWS Documentation mentions the following.

AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates.

For Linux-based instances, you can also install patches for non-security updates.

You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type.

This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), Amazon Linux, and Amazon Linux 2

You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.

Options A and D are incorrect since patching of the servers is the responsibility of the customer.

Option C is incorrect since the start and stop action will not cause automatic patching.

For more information on the Systems Patch Manager, please visit the below URL-

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html

The MOST efficient way for the SysOps Administrator to mitigate the known vulnerability in the guest OS of the organization's large Amazon EC2 fleet is to deploy the security patch by using AWS Systems Manager for the entire fleet of EC2 instances.

AWS Systems Manager is a management service that helps to automate administrative tasks across the EC2 instances, on-premises instances, and hybrid environments. It provides a centralized view of the instance configuration, compliance, and security status, and enables automated patching and updates to instances.

Deploying the security patch using AWS Systems Manager ensures that all EC2 instances are updated with the latest security patches, thus reducing the risk of the vulnerability being exploited. It also saves time and effort compared to manually patching each EC2 instance individually.

Option A of opening a case with AWS Support requesting that the deployment of the security patch be prioritized can be effective, but it may not be the most efficient option. AWS Support may take some time to prioritize and deploy the patch, which could result in a delay in mitigating the vulnerability.

Option C of performing a Stop and Start of the EC2 instances to force them to an already-patched state is not the most efficient option, as it requires stopping and starting each EC2 instance individually, which can be time-consuming and disrupt the running services.

Option D of having AWS automatically install the security patch during the weekly maintenance window is not the most efficient option, as it may not address the urgency of the security vulnerability. Additionally, relying on weekly maintenance windows may delay the deployment of the security patch, leaving the EC2 instances vulnerable for an extended period.

In summary, deploying the security patch by using AWS Systems Manager for the entire fleet of EC2 instances is the MOST efficient way for the SysOps Administrator to mitigate the known vulnerability in the guest OS of the organization's large Amazon EC2 fleet.