Learn how to configure Amazon ECR to automatically scan new container images for vulnerabilities, delete image tags with Critical or High severity findings, and notify the development team using AWS Step Functions, EventBridge, and SNS.
Table of Contents
Question
A company is running a containerized application in the AWS Cloud. The application is running by using Amazon Elastic Container Service (Amazon ECS) on a set of Amazon EC2 instances. The EC2 instances run in an Auto Scaling group.
The company uses Amazon Elastic Container Registry (Amazon ECR) to store its container images. When a new image version is uploaded, the new image version receives a unique tag.
The company needs a solution that inspects new image versions for common vulnerabilities and exposures. The solution must automatically delete new image tags that have Critical or High severity findings. The solution also must notify the development team when such a deletion occurs.
Which solution meets these requirements?
A. Configure scan on push on the repository. Use Amazon EventBridge to invoke an AWS Step Functions state machine when a scan is complete for images that have Critical or High severity findings. Use the Step Functions state machine to delete the image tag for those images and to notify the development team through Amazon Simple Notification Service (Amazon SNS).
B. Configure scan on push on the repository. Configure scan results to be pushed to an Amazon Simple Queue Service (Amazon SQS) queue. Invoke an AWS Lambda function when a new message is added to the SQS queue. Use the Lambda function to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Email Service (Amazon SES).
C. Schedule an AWS Lambda function to start a manual image scan every hour. Configure Amazon EventBridge to invoke another Lambda function when a scan is complete. Use the second Lambda function to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Notification Service (Amazon SNS).
D. Configure periodic image scan on the repository. Configure scan results to be added to an Amazon Simple Queue Service (Amazon SQS) queue. Invoke an AWS Step Functions state machine when a new message is added to the SQS queue. Use the Step Functions state machine to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Email Service (Amazon SES).
Answer
A. Configure scan on push on the repository. Use Amazon EventBridge to invoke an AWS Step Functions state machine when a scan is complete for images that have Critical or High severity findings. Use the Step Functions state machine to delete the image tag for those images and to notify the development team through Amazon Simple Notification Service (Amazon SNS).
Explanation
Amazon Elastic Container Registry (ECR) supports the ‘scan on push’ feature, which automatically scans your Docker container images for vulnerabilities when they are pushed to the repository. This feature provides details about any software vulnerabilities in the container image’s software packages.
Amazon EventBridge can be used to catch the ECR Image Scan Complete event. This event is emitted every time an image scan is completed.
AWS Step Functions can be used to orchestrate AWS Lambda functions. In this case, it can be used to delete the image tag and send a notification to the development team through Amazon Simple Notification Service (SNS) when a scan is complete for images that have Critical or High severity findings.
The other options are not as efficient or automated as Option A. For example, Option B and D involve using Amazon Simple Queue Service (SQS), which would require additional configuration and management. Option C involves scheduling a Lambda function to start a manual image scan every hour, which could result in unnecessary scans if no new images are being pushed to the repository.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.