Amazon SCS-C02 Exam - Topic 2 Question 32 Discussion

Actual exam question for Amazon's SCS-C02 exam

Question #: 32
Topic #: 2

A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all Amazon EC2 instances for all the accounts in the organization.

A central account provides base AMIs for the EC2 instances. The company uses AWS Systems Manager for software inventory and patching operations.

A security engineer must implement a solution that detects EC2 instances ttjat do not have the required software. The solution also must automatically install the software if the software is not present.

Which solution will meet these requirements?

AProvide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.

BConfigure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.

CCentrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.

DCreate a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.

Show Suggested Answer

Suggested Answer: C

Utilizing AWS Config with a custom AWS Config rule (ec2-managedinstance-applications-required) enables detection of EC2 instances lacking the required software across all accounts in an organization. By creating an Amazon EventBridge rule that triggers on AWS Config events, and configuring it to invoke an AWS Lambda function, automated actions can be taken to ensure compliance. The Lambda function can leverage AWS Systems Manager Run Command to install the necessary software on non-compliant instances. This approach ensures continuous compliance and automated remediation, aligning with best practices for cloud security and management.

by Shad at Sep 15, 2024, 08:12 AM

Limited Time Offer

25%

Off

Get Premium SCS-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Patria

3 months ago

D sounds interesting, but is it really that straightforward?

upvoted 0 times

...

Arthur

3 months ago

Wait, can AWS Config really trigger Lambda like that?

upvoted 0 times

...

Albina

3 months ago

A is too manual with AMI tagging.

upvoted 0 times

...

Amalia

4 months ago

I think B is better for patch management.

upvoted 0 times

...

Ciara

4 months ago

Option C seems the most automated and scalable.

upvoted 0 times

...

Flo

4 months ago

I recall that using Systems Manager Distributor could be effective, but I wonder if it’s the best approach compared to the other options listed.

upvoted 0 times

...

Shasta

4 months ago

I feel like option C could be the right choice since it involves automation with Lambda and Systems Manager, but I’m a bit confused about the specifics of the AWS Config rule.

upvoted 0 times

...

Dustin

4 months ago

I think option B sounds familiar; we practiced something similar with patch baselines, but I'm not sure if it covers automatic installation like the question asks.

upvoted 0 times

...

Ernest

5 months ago

I remember we discussed using AWS Config rules in class, but I'm not entirely sure how they integrate with EventBridge for this scenario.

upvoted 0 times

...

Belen

5 months ago

Okay, I've got a plan. I think Option C is the way to go here. Leveraging AWS Config and EventBridge to automate the detection and remediation process seems like the most comprehensive solution.

upvoted 0 times

...

Louis

5 months ago

Hmm, this is a bit complex with the multi-account setup. I'm not sure which option would be the most efficient and secure approach. I'll need to carefully review the details of each choice.

upvoted 0 times

...

Trinidad

5 months ago

This looks like a tricky one, but I think I can break it down step-by-step. Let me start by understanding the key requirements - we need to detect instances without the required software and automatically install it.

upvoted 0 times

...

Raelene

5 months ago

I'm a bit confused by all the different AWS services involved. Do we really need to set up all that infrastructure, or is there a simpler way to get this done? I want to make sure I don't overcomplicate things.

upvoted 0 times

...

Ora

5 months ago

I think I'd choose option A - Audience builder. That seems like the most direct way to segment the customer population and find the appropriate groups for their marketing efforts.

upvoted 0 times

...

Vincent

1 year ago

I'm not sure about option C. I think option A could also work by providing new AMIs with the software pre-installed and tagging them for easy identification.

upvoted 0 times

...

Geraldine

1 year ago

I agree with Micaela. Using AWS Config with EventBridge and Lambda function to install the software centrally is efficient and effective.

upvoted 0 times

...

Ira

1 year ago

Wow, these options are all quite technical. I'd need a Ph.D. in AWS to understand them properly. Maybe I should just ask Alexa for help.

upvoted 0 times

...

Vince

1 year ago

Option D is the way to go! Simplicity is key, and using Systems Manager Distributor to install the software makes it a breeze.

upvoted 0 times

Major

1 year ago

Yes, Option D seems like the most practical choice. Systems Manager Distributor will simplify the software installation across all EC2 instances.

upvoted 0 times

...

Art

1 year ago

I think Option D is the most straightforward solution. Systems Manager Distributor will make the software installation process smooth.

upvoted 0 times

...

Stefany

1 year ago

I agree, Option D is simple and efficient. It's the way to go for sure.

upvoted 0 times

...

Yun

1 year ago

Yes, Option D is the most straightforward way to ensure all EC2 instances have the required software installed.

upvoted 0 times

...

Jennifer

1 year ago

Option D is definitely the best choice. Using Systems Manager Distributor makes the software installation process easy.

upvoted 0 times

...

Miesha

1 year ago

I agree, using Systems Manager Distributor is a simple and efficient solution for this scenario.

upvoted 0 times

...

Elliot

1 year ago

Option D is definitely the best choice. Systems Manager Distributor makes it easy to install the software on all EC2 instances.

upvoted 0 times

...

Yasuko

1 year ago

I wonder if the software package comes with a '90s-style screensaver. That would really seal the deal for me.

upvoted 0 times

...

Macy

1 year ago

Option C seems like the most comprehensive solution. Leveraging AWS Config, EventBridge, and Lambda to automate the process is a clever approach.

upvoted 0 times

Julieta

1 year ago

Definitely, having that level of automation can save a lot of time and ensure consistency across all accounts.

upvoted 0 times

...

Twanna

1 year ago

It's important to have a solution that can automatically detect and install the required software on all EC2 instances.

upvoted 0 times

...

Kerry

1 year ago

I agree, using AWS Config, EventBridge, and Lambda together can definitely automate the process effectively.

upvoted 0 times

...

Malcolm

1 year ago

Option C seems like the most comprehensive solution.

upvoted 0 times

...

Micaela

1 year ago

I think option C is the best solution. Enabling AWS Config and setting up the required rule seems like a good way to detect and install the software.

upvoted 0 times

...