Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 251 discussion

Given the requirement to detect instances and use an SSM document for installation, Option B seems most appropriate. It combines AWS Config for detection and Systems Manager for remediation.

AWS Systems Manager State Manager: Automatic Detection: - State Manager allows you to manage the desired state of your AWS resources, including EC2 instances. By targeting all managed nodes, you ensure that every EC2 instance under Systems Manager's management is included in the scope. Software Installation: - You can specify a Systems Manager document (SSM document) to define the steps required to install the antivirus software. The association will ensure that the software is installed on any instances where it is missing. Continuous Compliance: - State Manager can continuously enforce the desired state, which means it will periodically check for the presence of the software and reapply the document if necessary.

State Manager associations A State Manager association is a configuration that you assign to your AWS resources. The configuration defines the state that you want to maintain on your resources. For example, an association can specify that antivirus software must be installed and running on a managed node, or that certain ports must be closed. An association specifies a schedule for when to apply the configuration and the targets for the association. For example, an association for antivirus software might run once a day on all managed nodes in an AWS account. If the software isn't installed on a node, then the association could instruct State Manager to install it. If the software is installed, but the service isn't running, then the association could instruct State Manager to start the service.

By creating an association, you can ensure that all instances have the antivirus software installed and kept up-to-date.

---> I'm between A & D Not 100% sure about this but here are my 2 cents about DETECTING the instances that don't have the software installed: A - it's a bit tricky because it states that it targets all managed nodes - but what if there are other nodes that are not managed? It just assumes that all instances are managed by AWS Systems Manager B - How can Config determine if the software is installed? C - Amazon Inspector is focused on security assessments and compliance checks, not on ensuring software is installed. It would require additional setup and is not designed for direct software installation. D - it ensures that all instances are detected. It ensures that the installed software is tracked by using the AWS Systems Manager Inventory (which is designed for this kind of things). I'm not 100% sure about the phrase "Associate the Systems Manager inventory with the Systems Manager document." which I don't believe its technically possible