Topic: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

A company has a production workload that runs on 1,000 Amazon EC2 Linux instances. The workload is powered by third-party software. The company needs to patch the third-party software on all EC2 instances as quickly as possible to remediate a critical security vulnerability.
What should a solutions architect do to meet these requirements?

A.
Create an AWS Lambda function to apply the patch to all EC2 instances.
B.
Configure AWS Systems Manager Patch Manager to apply the patch to all EC2 instances.
C.
Schedule an AWS Systems Manager maintenance window to apply the patch to all EC2 instances.
D.
Use AWS Systems Manager Run Command to run a custom command that applies the patch to all EC2 instances.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

The primary focus of Patch Manager, a capability of AWS Systems Manager, is on installing operating systems security-related updates on managed nodes. By default, Patch Manager doesn't install all available patches, but rather a smaller set of patches focused on security. (Ref https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-how-it-works-selection.html)

Run Command allows you to automate common administrative tasks and perform one-time configuration changes at scale.  (Ref https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html)

Seems like patch manager is meant for OS level patches and not 3rd party applications. And this falls under run command wheelhouse to carry out one-time configuration changes (update of 3rd part application) at scale.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

3rd party applications are also supported by Patch Manager (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html).
You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for applications released by Microsoft.) You can use Patch Manager to install Service Packs on Windows nodes and perform minor version upgrades on Linux nodes. You can patch fleets of Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, on-premises servers, and virtual machines (VMs) by operating system type. This includes supported versions of several operating systems, as listed in Patch Manager prerequisites.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

D
AWS Systems Manager Run Command allows the company to run commands or scripts on multiple EC2 instances. By using Run Command, the company can quickly and easily apply the patch to all 1,000 EC2 instances to remediate the security vulnerability.

Creating an AWS Lambda function to apply the patch to all EC2 instances would not be a suitable solution, as Lambda functions are not designed to run on EC2 instances. Configuring AWS Systems Manager Patch Manager to apply the patch to all EC2 instances would not be a suitable solution, as Patch Manager is not designed to apply third-party software patches. Scheduling an AWS Systems Manager maintenance window to apply the patch to all EC2 instances would not be a suitable solution, as maintenance windows are not designed to apply patches to third-party software

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

Install software -> Patch Manager
Run command/processing workload -> Run Command

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

I think patch manager would need an agent to be installed and also Patch Manager doesn't derive severity levels from third-party sources.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

AWS Systems Manager Patch Manager primarily focuses on operating system patches and does not directly support third-party software patching on Linux instances

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

Critical means immediate. Just run the patch command with AWS SM run command to get it done. D is best choice.
A: Too convoluted
B: Can work but have to setup a lot of things to get this done. would be a good choice if D wasn't an option
C: It's a critical patch so not time for maintenance window

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

By practice, isn't schedule planned downtime is common sense before patching done?

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

maintenance window will trigger the run command or the patch manager in the right time (as quickly as possible )

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

keyword - as quickly as possible
Option B - efficient and reliable
Option D - speed and immediate execution
hence D is correct

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

Third party software - Custom command.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

D - Patch manager does not understand severity for third party software .
Patch Manager doesn't derive severity levels from third-party sources, such as the Common Vulnerability Scoring System (CVSS), or from metrics released by the National Vulnerability Database (NVD).

https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

I go with option B. To quickly patch third-party software on 1,000 EC2 instances, use AWS Systems Manager Patch Manager. It automates the patching process, from scanning for missing patches to applying the patch to all targeted instances. Patch Manager is designed for managing and automating the patching process for EC2 instances at scale.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

Key: third-party software and run custom command

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

Hey dudes. Patch Manager needs the agent. You have to install the agent on all of instances. Can you install the agent over a thousand? Maybe you need SSM Run Command.
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html

  • gsax
  • New member
  • Offline

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

Make note of this requirement, "as quickly as possible to remediate a critical security vulnerability." Patch Manager would save time and effort.

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

Patching support for applications on Windows Server managed nodes is limited to applications released by Microsoft.
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-patching-windows-applications.html

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

Not true it patches Linux too

Re: AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50

AWS Systems Manager Patch Manager is designed to apply patches not only to the operating system but also to third-party software running on Amazon EC2 instances, on-premises servers, and virtual machines. It allows you to manage and automate the process of patching both operating systems and applications, including third-party applications so using the patch manager and scheduling a maintenance window, you can ensure controlled and coordinated patching of the EC2 instances. This helps in minimizing disruptions and managing the process effectivel so the answer is C smile