An internal compliance review at a fintech startup has uncovered that their Amazon EC2 instances are not being updated with the latest security patches. The organization requires a scalable and automated solution that can both scan the EC2 fleet for software vulnerabilities and apply patches on a recurring basis. Additionally, the solution must generate audit-ready reports showing the patching status of each instance. What should a solutions architect implement to fulfill these security and reporting requirements?