Table of Contents
How Do You Secure AKS with ACR and Runtime Container Scanning?
Prepare for your AZ-500 exam by learning the key container scanning options for AKS. Understand how Microsoft Defender for Containers provides vulnerability scanning in Azure Container Registry (ACR) and real-time threat detection in the AKS container runtime.
Question
You can configure the following scanning options for your container images for Azure Kubernetes Service?
A. In the Azure Container Registry
B. At design time in Visual Studio Code
C. In the AKS container runtime
D. A and C
Answer
D. A and C
Explanation
The correct answer is D. A comprehensive container security strategy for AKS involves vulnerability scanning both before deployment in Azure Container Registry (ACR) and during execution with AKS runtime protection.
Scanning of both the ACR and AKS runtime are possible to identify vulnerabilities related to your containerized services.
Scanning in Azure Container Registry (ACR)
This is a critical “shift-left” security practice that identifies vulnerabilities before a container is ever deployed.
- Service Used: This functionality is provided by Microsoft Defender for Containers.
- How it Works: When enabled, Defender for Containers automatically scans container images when they are pushed to your registry and also re-scans recently pulled images. The scan identifies known vulnerabilities (CVEs) in the operating system packages and other software dependencies within the image.
- Purpose: This allows DevOps and security teams to find and remediate vulnerabilities early in the development lifecycle, preventing insecure code from reaching production environments. The scan results provide a detailed report of findings, severity levels, and remediation guidance.
Scanning in the AKS Container Runtime
This provides real-time threat detection and protection for containers that are actively running in your AKS cluster.
- Service Used: This is also a feature of Microsoft Defender for Containers.
- How it Works: When enabled for your Kubernetes clusters, Defender for Containers deploys a DaemonSet to each node in the cluster. This agent collects security data from the nodes and running containers. It analyzes system calls, network activity, and process execution to detect malicious and suspicious behavior.
- Purpose: This protects against threats that may not be present in the static image, such as zero-day exploits, fileless attacks, or malicious activity originating from a compromised container. It generates security alerts for threats like cryptocurrency mining, suspicious shell execution, or connections to known malicious IP addresses.
Why Other Options Are Incorrect
While you can use third-party extensions in Visual Studio Code to scan Dockerfiles or local images at design time (Option B), this is part of a local developer workflow and not a native Azure service configuration for securing AKS. The question focuses on configurable scanning options within the Azure platform for an AKS environment, which directly points to the integrated capabilities provided by Microsoft Defender for Containers for both ACR and the AKS runtime.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.