Which solution will meet these requirements?
Create an association in Systems Manager State Manager. Target all the managed nodes. Include the software in the association. Configure the association to use the Systems Manager document.
Set up AWS Config to record all the resources in the account. Create an AWS Config custom rule to determine if the software is installed on all the EC2 instances. Configure an automatic remediation action that uses the Systems Manager document for noncompliant EC2 instances.
Activate Amazon EC2 scanning on Amazon Inspector to determine if the software is installed on all the EC2 instances. Associate the findings with the Systems Manager document.
Create an Amazon EventBridge rule that uses AWS CloudTrail to detect the Runinstances API call. Configure inventory collection in Systems Manager Inventory to determine if the software is installed on the EC2 instances. Associate the Systems Manager inventory with the Systems Manager document.
Explanations:
Creating an association in Systems Manager State Manager allows for targeting all managed nodes and automatically applying the specified Systems Manager document to install the antivirus software if it is not already present. This approach ensures that the software is consistently installed across all instances and aligns with the requirement to detect and install the software as necessary.
While AWS Config can help monitor compliance and report whether antivirus software is installed, it does not directly install software. An AWS Config custom rule can determine compliance but requires additional setup for remediation, which does not directly fulfill the requirement of using a Systems Manager document to install the software upon detection of non-compliance.
Amazon Inspector is used for vulnerability assessments, not for direct installation of software. While it can identify whether antivirus software is installed, it does not perform the installation itself or provide a mechanism to automatically apply the Systems Manager document based on those findings.
This option involves using Amazon EventBridge and CloudTrail to detect instance launches and using Systems Manager Inventory for software detection. However, it is overly complex for the requirement since it does not directly address the need to install software automatically on existing instances. The solution does not ensure proactive installation of the antivirus software.