SOA-C03 Question #145: Real Exam Question with Answer & Explanation

Question

A company runs applications on Amazon EC2 instances. Many of the instances are not patched. The company has a tagging policy. All the instances are tagged with details about the owners, application, and environment. AWS Systems Manager Agent (SSM Agent) is installed on all the instances. A SysOps administrator must implement a solution to automatically patch all existing and future instances that have "Prod" in the environment tag. The SysOps administrator plans to create a patch policy in Systems Manager Patch Manager. Which solution will meet the patching requirements with the LEAST operational overhead?

Options

• ADefine targets of the patch policy by specifying node tags that match the company's tagging
• BConfigure an AWS Lambda function to scan for new instances and to add the instances to the
• CCreate resource groups. Add the existing instances to the resource groups. Configure an AWS
• DCreate resource groups. Add the existing instances to the resource groups. Create an Amazon

Explanation

AWS Systems Manager Patch Manager natively supports tag-based targeting, which automatically includes both existing and future instances that match specified tag criteria. AWS CloudOps documentation states that patch policies can target managed nodes by instance tags, allowing administrators to dynamically scope patching operations without additional automation. By defining the patch policy target as instances with an environment tag value of "Prod," Patch Manager automatically applies patch baselines to all matching instances. Any new EC2 instance launched with the same tag is included automatically, requiring no manual intervention or additional services. This approach delivers the least operational overhead while remaining fully scalable and compliant.

No community discussion yet for this question.