Which combination of steps must the DevOps team take to implement automated patch and configuration management across the company’s EC2 instances, IoT devices, and on-premises infrastructure?
(Choose three.)
Apply tags to all the EC2 instances, AWS IoT Greengrass devices, and on-premises servers. Use Systems Manager Session Manager to push patches to all the tagged devices.
Use Systems Manager Run Command to schedule patching for the EC2 instances, AWS IoT Greengrass devices, and on-premises servers.
Use Systems Manager Patch Manager to schedule patching for the EC2 instances, AWS IoT Greengrass devices, and on-premises servers as a Systems Manager maintenance window task.
Configure Amazon EventBridge to monitor Systems Manager Patch Manager for updates to patch baselines. Associate Systems Manager Run Command with the event to initiate a patch action for all EC2 instances, AWS IoT Greengrass devices, and on-premises servers.
Create an IAM instance profile for Systems Manager. Attach the instance profile to all the EC2 instances in the AWS account. For the AWS IoT Greengrass devices and on-premises servers, create an IAM service role for Systems Manager.
Generate a managed-instance activation. Use the Activation Code and Activation ID to install Systems Manager Agent (SSM Agent) on each server in the on-premises environment. Update the AWS IoT Greengrass IAM token exchange role. Use the role to deploy SSM Agent on all the IoT devices.
Explanations:
While tagging instances and devices can be beneficial for organization and management, Systems Manager Session Manager is not typically used for patching. Instead, it provides secure shell access and interactive management rather than automated patching capabilities.
Systems Manager Run Command can execute commands on EC2 instances and on-premises servers, but it is not specifically designed for automated patching of AWS IoT Greengrass devices. Patching should be managed through Systems Manager Patch Manager instead for a more streamlined approach.
Systems Manager Patch Manager is specifically designed to automate the process of patching EC2 instances and on-premises servers. By scheduling patching as a maintenance window task, the DevOps team can ensure that all resources are updated regularly and consistently, which is the preferred method for managing patches across multiple environments.
Configuring Amazon EventBridge to monitor Patch Manager updates is not a standard approach for initiating patch actions. While EventBridge can be used for event-driven automation, using Patch Manager’s built-in scheduling capabilities is a more effective and direct method for applying patches without the need for additional event monitoring.
Creating an IAM instance profile for EC2 instances allows Systems Manager to manage these instances. Additionally, creating an IAM service role for on-premises servers and IoT devices is necessary for Systems Manager to access and manage these resources securely, ensuring that all components can be patched and configured appropriately.
Generating a managed-instance activation and installing the Systems Manager Agent (SSM Agent) on on-premises servers is essential for integrating these resources into Systems Manager. This step, along with updating the AWS IoT Greengrass IAM token exchange role, allows for managing and patching IoT devices using Systems Manager, enabling full coverage of the corporate infrastructure.