Examice

Exam SCS-C02 All QuestionsBrowse all questions from this exam

Question 158

A company has AWS accounts in an organization in AWS Organizations. The company needs to install a corporate software package on all Amazon EC2 instances for all the accounts in the organization.

A central account provides base AMIs for the EC2 instances. The company uses AWS Systems Manager for software inventory and patching operations.

A security engineer must implement a solution that detects EC2 instances that do not have the required software. The solution also must automatically install the software if the software is not present.

Which solution will meet these requirements?

Provide new AMIs that have the required software pre-installed. Apply a tag to the AMIs to indicate that the AMIs have the required software. Configure an SCP that allows new EC2 instances to be launched only if the instances have the tagged AMIs. Tag all existing EC2 instances.

Configure a custom patch baseline in Systems Manager Patch Manager. Add the package name for the required software to the approved packages list. Associate the new patch baseline with all EC2 instances. Set up a maintenance window for software deployment.

Centrally enable AWS Config. Set up the ec2-managedinstance-applications-required AWS Config rule for all accounts. Create an Amazon EventBridge rule that reacts to AWS Config events. Configure the EventBridge rule to invoke an AWS Lambda function that uses Systems Manager Run Command to install the required software.

Create a new Systems Manager Distributor package for the required software. Specify the download location. Select all EC2 instances in the different accounts. Install the software by using Systems Manager Run Command.

Correct Answer: C

To meet the requirements of detecting EC2 instances that do not have the required software and automatically installing the software if it is not present, the solution should include both detection and automation capabilities. Centrally enabling AWS Config and setting up the ec2-managedinstance-applications-required AWS Config rule for monitoring ensures continuous compliance checks for the required software. Creating an Amazon EventBridge rule that reacts to Config events handles real-time detection of non-compliant instances. The EventBridge rule can then invoke an AWS Lambda function that utilizes Systems Manager Run Command to install the necessary software, fulfilling the requirement for automated installation.

Discussion

aescudero51Option: C

My answer is C. Detecting Missing Software: AWS Config with the ec2-managedinstance-applications-required rule continuously monitors EC2 instances and identifies ones without the required software. Automated Installation: The EventBridge rule automatically triggers upon a Config non-compliance event. Centralized Management: The solution operates centrally from the organization's master account, ensuring consistent enforcement across all member accounts. Flexibility: This approach allows for future software updates by simply modifying the Lambda function logic or the package definition in Systems Manager Distributor.

aescudero51Option: C

C is correct https://aws.amazon.com/blogs/mt/deploying-packages-sequentially-aws-systems-manager/

Viseks

Ans - B

kupo777

C is correct. Option A is a method of restricting activation by tag without detection. Option B is Software cannot be installed. Option D is to install the software without detection.

Mandar

D is correct: https://docs.aws.amazon.com/systems-manager/latest/userguide/distributor.html

ShreyasOption: B

Ans - B