You work in the security team, and you need to ensure that all EC2 instances have installed certain latest security patches in time. However, the requirement is that the patches are installed in the dev and test environments for a week before they are installed in production instances. All EC2 instances can be differentiated via Tags. What is the best way to implement this using AWS Systems Manager?

Answer options:

A.Create a customized Patch Baseline. Create several Patch Groups for dev, test, and production instances and tag the instances. Associate the Patch Groups with the new Patch Baseline. Schedule the patching in a maintenance window as required.
B.Tag the instances using dev, test, and production. In Systems Manager, run the command of “AWS-InstallPatches” based on the tags.
C.Use a predefined default Patch Baseline. Add tags of dev, test, and production to relevant EC2 instances. Associate the Patch Baseline with EC2 instances via tags.
D.Use Systems Manager session manager to configure the patching for EC2 instances. Apply required patches accordingly after you remote login into the server.

Correct Answer – A
The best tool to consider for applying patches should be the Patch Manager in Systems Manager. Since, in this case, certain patches need to be selected, it is highly possible that a customized patch baseline should be created first.
Option A is CORRECT: Because Patch Groups help that the appropriate patches in associated patch baseline rules are applied to the correct instances. Check https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-patchgroups.html for the introduction of Patch Groups. For example, a patch baseline can add a Patch Group in the console:
Option B is incorrect: Because if Run Command is used, the correct command should be AWS-ApplyPatchBaseline. Besides,
Option A is more appropriate to manage the patching activities.
Option C is incorrect: Because a predefined Patch Baseline may not meet the need. Other than that, Patch Group should be used to associate with the Patch Baseline.
Option D is incorrect: Because Session Manager is unsuitable for managing patches, especially when the number of EC2 instances is large.