Option A is the most correct because it provides both : (1) automated patching and (2) compliance monitoring/enforcement across a fleet, using AWS-native services built for exactly this purpose.

AWS Systems Manager Patch Manager is designed to automate patching of managed instances using patch baselines , maintenance windows (or on-demand), and it produces compliance status for patching. It’s the standard AWS service to apply OS/security patches at scale without SSH’ing into instances.

AWS Config can be used to evaluate and track compliance over time against defined rules, giving centralized visibility and continuous compliance assessment. With remediation , Config can invoke Systems Manager Automation documents to correct non-compliant resources or trigger patch actions (depending on the rule/remediation design). This meets the “monitor and enforce” requirement.

Why the other options don’t meet requirements as well:

B is manual, doesn’t scale well, and increases operational risk (key management, human error). It’s not “automated monitoring and enforcement.”

C (replacing instances with new AMIs) can be part of an immutable infrastructure strategy, but by itself it does not provide compliance monitoring across the current fleet, and scaling policies based on CloudWatch metrics are unrelated to patch compliance. Also, patch cadence would depend on AMI pipelines and instance rotation rather than direct compliance enforcement.

D is operationally heavy and mismatched: CloudTrail records API activity; it does not natively provide “patch compliance” status for instance OS packages. Recreating instances via CloudFormation for every patch is not an efficient or standard enforcement mechanism for patch compliance.