Learn how to harden your container images before they are in a running state by using ECR basic image scanning in CodePipeline. Discover the most efficient solution for analyzing the container image earlier in the CI/CD pipeline.
Table of Contents
Question
A company needs to harden its container images before the images are in a running state. The company’s application uses Amazon Elastic Container Registry (Amazon ECR) as an image registry. Amazon Elastic Kubernetes Service (Amazon EKS) for compute, and an AWS CodePipeline pipeline that orchestrates a continuous integration and continuous delivery (CI/CD) workflow.
Dynamic application security testing occurs in the final stage of the pipeline after a new image is deployed to a development namespace in the EKS cluster. A developer needs to place an analysis stage before this deployment to analyze the container image earlier in the CI/CD pipeline.
Which solution will meet these requirements with the MOST operational efficiency?
A. Build the container image and run the docker scan command locally. Mitigate any findings before pushing changes to the source code repository. Write a pre-commit hook that enforces the use of this workflow before commit.
B. Create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan on image push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings.
C. Create a new CodePipeline stage that occurs after source code has been retrieved from its repository. Run a security scanner on the latest revision of the source code. Fail the pipeline if there are findings.
D. Add an action to the deployment stage of the pipeline so that the action occurs before the deployment to the EKS cluster. Configure ECR basic image scanning to scan on image push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings.
Answer
B. Create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan on image push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings.
Explanation
The correct answer is B. Create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan on image push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings.
Here is an explanation of why this solution will meet the requirements with the most operational efficiency:
- The problem is that the company needs to harden its container images before the images are in a running state, which means that the images need to be scanned for vulnerabilities and compliance issues before they are deployed to the EKS cluster. The company already has a CI/CD pipeline that uses CodePipeline, ECR, and EKS, but it only performs dynamic application security testing after the deployment, which is too late to prevent potential security breaches.
- To solve this problem, a new analysis stage is needed in the CodePipeline pipeline that will scan the container image earlier in the CI/CD workflow. This stage should occur after the container image is built, but before it is deployed to the EKS cluster. This way, any security issues can be detected and mitigated before they affect the running application.
- The solution that meets these requirements with the most operational efficiency is to use ECR basic image scanning and a Lambda function as the action provider for the new analysis stage. ECR basic image scanning is a feature that allows users to scan their container images for software vulnerabilities using Amazon Inspector. It can be configured to scan on image push, which means that it will automatically scan any new image that is pushed to an ECR repository. The scan results are available through the ECR console or API.
- A Lambda function can be used as the action provider for the new analysis stage, which means that it will perform a custom action based on the input artifacts and output variables of the stage. The Lambda function can be configured to check the scan results of the container image by using the ECR API, and to fail the pipeline if there are any findings. This will prevent any insecure or non-compliant image from being deployed to the EKS cluster.
- This solution will meet the requirements with the most operational efficiency because it will use existing AWS services and features that are integrated with each other, and it will not require any additional infrastructure or software installation. It will also automate the scanning process and enforce security best practices throughout the CI/CD workflow.
Therefore, option B is the correct solution that will meet the requirements with the most operational efficiency. Option A is incorrect because it will rely on manual scanning and mitigation by the developer, which is prone to human error and inconsistency. Option C is incorrect because it will not scan the container image, but only the source code, which may not reflect the actual state of the image. Option D is incorrect because it will place the analysis stage too late in the pipeline, after the deployment stage, which defeats the purpose of hardening the images before they are in a running state.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.
