The requirement calls for three capabilities at fleet scale: (1) regular security/vulnerability scanning of EC2 instances, (2) scheduled patching, and (3) reporting on patch compliance/status. The AWS-managed services designed for this are Amazon Inspector for vulnerability scanning and AWS Systems Manager Patch Manager for patch orchestration and compliance reporting.

Amazon Inspector provides automated vulnerability management that can assess EC2 instances for software vulnerabilities and exposure, producing findings that identify missing patches and vulnerable packages. This addresses the security scanning portion without requiring custom tooling on each instance beyond standard agent/configuration requirements.

Systems Manager Patch Manager allows you to define patch baselines, schedule patching operations via maintenance windows, and apply patches across large fleets in a controlled manner. Patch Manager also provides compliance views and reporting so you can see which instances are compliant, which are missing patches, and the results of patch operations. This directly meets the need to patch “on a regular schedule” and to “provide a report of each instance’s patch status.”

The other options are mismatched services: Macie focuses on discovering and protecting sensitive data (especially in S3), not scanning EC2 for software vulnerabilities. GuardDuty is for threat detection based on logs and events; it is not an EC2 vulnerability scanner and does not function as a patching orchestrator. Detective helps investigate security events and relationships; it is not a vulnerability scanning or patch deployment tool. Additionally, cron jobs on each instance create high operational overhead and inconsistent reporting—exactly what the company wants to avoid.

Therefore, D is the correct, operationally excellent approach: use Inspector for vulnerability scanning and Systems Manager Patch Manager for automated, scheduled patching with centralized compliance reporting.