Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 50 discussion

The primary focus of Patch Manager, a capability of AWS Systems Manager, is on installing operating systems security-related updates on managed nodes. By default, Patch Manager doesn't install all available patches, but rather a smaller set of patches focused on security. (Ref https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-how-it-works-selection.html) Run Command allows you to automate common administrative tasks and perform one-time configuration changes at scale. (Ref https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html) Seems like patch manager is meant for OS level patches and not 3rd party applications. And this falls under run command wheelhouse to carry out one-time configuration changes (update of 3rd part application) at scale.

D AWS Systems Manager Run Command allows the company to run commands or scripts on multiple EC2 instances. By using Run Command, the company can quickly and easily apply the patch to all 1,000 EC2 instances to remediate the security vulnerability. Creating an AWS Lambda function to apply the patch to all EC2 instances would not be a suitable solution, as Lambda functions are not designed to run on EC2 instances. Configuring AWS Systems Manager Patch Manager to apply the patch to all EC2 instances would not be a suitable solution, as Patch Manager is not designed to apply third-party software patches. Scheduling an AWS Systems Manager maintenance window to apply the patch to all EC2 instances would not be a suitable solution, as maintenance windows are not designed to apply patches to third-party software

Option A Incorrect – AWS Lambda is not suitable for managing and patching third-party software on EC2 instances at scale. Option B Incorrect – AWS Systems Manager Patch Manager is designed for OS patching, not third-party software patching Option C Incorrect – A maintenance window schedules updates but does not immediately apply the patch, delaying remediation Option D Correct – AWS Systems Manager Run Command allows immediate execution of a custom patching script across all EC2 instances, ensuring quick remediation.

I would vote for B as the option for Run command does not have exception handling capabilities like patch failures. OR the command has to be scripted to handle such cases, which is additional operational overhead - especially for cases where the exception corner cases are not handled in the script.

Patch Manager is optimized for OS-level security patches and may not support the specific third-party software patch required in this scenario. Even if the third-party software is supported, Patch Manager may not provide the level of control or speed needed for a critical security update.

A Opção D (AWS Systems Manager Run Command) é a solução mais rápida e eficaz para aplicar o patch a todas as 1.000 instâncias EC2 em resposta a uma vulnerabilidade crítica de segurança, garantindo uma correção imediata e controlada.

AWS Systems Manager Patch Manager is a fully managed service designed to automate the process of patching operating systems and applications on EC2 instances. It can automatically apply patches to EC2 instances at scale, ensuring that critical vulnerabilities are remediated quickly. Patch Manager allows you to define patch baselines, schedule patching, and apply patches across multiple instances without manual intervention.

Option B has right balance between cost-effectiveness and performance, ensuring that frequently accessed data is easily retrievable and older data is archived at lower cost with fast retrieval options for both new and older data.

Path Manager can support patch third party applications

Ans B (should be). Clue: "The company needs to *patch* the third-party software..." - if the Patch Manager is not capable of this then perhaps it should be, rather than delegating functionality to another service... The suggested answer D, implies Patch Manager can't do the job...

In your case, since the company needs to fix a critical security vulnerability as quickly as possible, Patch Manager (option B) would be the most recommended choice. It provides a quick and efficient way to apply the patch to all affected instances without the need to create custom scripts. However, if your company has specific requirements that cannot be met by Patch Manager, Run Command (option D) may be a viable alternative.

I originally thought B but after a bit of reading I've changed my mind to D purely because patch manager will not be aware of this random third party application. Run command allows you to install applications, run powershell, bash etc commands at scale so the most sensible answer would be run command.

Install software -> Patch Manager Run command/processing workload -> Run Command

I think patch manager would need an agent to be installed and also Patch Manager doesn't derive severity levels from third-party sources.

AWS Systems Manager Patch Manager primarily focuses on operating system patches and does not directly support third-party software patching on Linux instances

Critical means immediate. Just run the patch command with AWS SM run command to get it done. D is best choice. A: Too convoluted B: Can work but have to setup a lot of things to get this done. would be a good choice if D wasn't an option C: It's a critical patch so not time for maintenance window

By practice, isn't schedule planned downtime is common sense before patching done?