Exam SOA-C03 Topic 4 Question 53 Discussion
Actual exam question for Amazon's SOA-C03 exam
Question #: 53
Topic #: 4
Question #: 53
Topic #: 4
A company runs applications on Amazon EC2 instances. Many of the instances are not patched. The company has a tagging policy. All the instances are tagged with details about the owners, application, and environment.
AWS Systems Manager Agent (SSM Agent) is installed on all the instances.
A SysOps administrator must implement a solution to automatically patch all existing and future instances that have "Prod" in the environment tag. The SysOps administrator plans to create a patch policy in Systems Manager Patch Manager.
Which solution will meet the patching requirements with the LEAST operational overhead?
AWS Systems Manager Agent (SSM Agent) is installed on all the instances.
A SysOps administrator must implement a solution to automatically patch all existing and future instances that have "Prod" in the environment tag. The SysOps administrator plans to create a patch policy in Systems Manager Patch Manager.
Which solution will meet the patching requirements with the LEAST operational overhead?
Suggested Answer: A Vote an answer
Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:
The correct answer is A because AWS Systems Manager Patch Manager natively supports tag-based targeting, which automatically includes both existing and future instances that match specified tag criteria.
AWS CloudOps documentation states that patch policies can target managed nodes by instance tags, allowing administrators to dynamically scope patching operations without additional automation.
By defining the patch policy target as instances with an environment tag value of "Prod," Patch Manager automatically applies patch baselines to all matching instances. Any new EC2 instance launched with the same tag is included automatically, requiring no manual intervention or additional services. This approach delivers the least operational overhead while remaining fully scalable and compliant.
Options B, C, and D are incorrect because they introduce unnecessary complexity by adding AWS Lambda functions, resource groups, or EventBridge rules. AWS CloudOps best practices emphasize using native Systems Manager capabilities whenever possible to reduce operational burden and failure points.
References:
AWS Systems Manager User Guide - Patch Manager Tag-Based Targeting
AWS SysOps Administrator Study Guide - Automation and Patch Management
AWS Well-Architected Framework - Operational Excellence
The correct answer is A because AWS Systems Manager Patch Manager natively supports tag-based targeting, which automatically includes both existing and future instances that match specified tag criteria.
AWS CloudOps documentation states that patch policies can target managed nodes by instance tags, allowing administrators to dynamically scope patching operations without additional automation.
By defining the patch policy target as instances with an environment tag value of "Prod," Patch Manager automatically applies patch baselines to all matching instances. Any new EC2 instance launched with the same tag is included automatically, requiring no manual intervention or additional services. This approach delivers the least operational overhead while remaining fully scalable and compliant.
Options B, C, and D are incorrect because they introduce unnecessary complexity by adding AWS Lambda functions, resource groups, or EventBridge rules. AWS CloudOps best practices emphasize using native Systems Manager capabilities whenever possible to reduce operational burden and failure points.
References:
AWS Systems Manager User Guide - Patch Manager Tag-Based Targeting
AWS SysOps Administrator Study Guide - Automation and Patch Management
AWS Well-Architected Framework - Operational Excellence
by Jenny at Jan 20, 2026, 09:43 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).