Continuously scanning AWS resources for vulnerabilities is crucial, but managing overhead is vital. This guide explores the most efficient approach for an EKS cluster and ECR repository based on AWS security best practices.
Table of Contents
Question
A company is deploying a new application on AWS. The application consists of an Amazon Elastic Kubernetes Service (Amazon EKS) cluster and an Amazon Elastic Container Registry (Amazon ECR) repository. The EKS cluster has an AWS managed node group.
The company’s security guidelines state that all resources on AWS must be continuously scanned for security vulnerabilities.
Which solution will meet this requirement with the LEAST operational overhead?
A. Activate AWS Security Hub. Configure Security Hub to scan the EKS nodes and the ECR repository.
B. Activate Amazon Inspector to scan the EKS nodes and the ECR repository.
C. Launch a new Amazon EC2 instance and install a vulnerability scanning tool from AWS Marketplace. Configure the EC2 instance to scan the EKS nodes. Configure Amazon ECR to perform a basic scan on push.
D. Install the Amazon CloudWatch agent on the EKS nodes. Configure the CloudWatch agent to scan continuously. Configure Amazon ECR to perform a basic scan on push.
Answer
D. Install the Amazon CloudWatch agent on the EKS nodes. Configure the CloudWatch agent to scan continuously. Configure Amazon ECR to perform a basic scan on push.
Explanation
Here’s why this option is most efficient:
- CloudWatch Agent Integration: CloudWatch Agent is already pre-built for EKS, minimizing additional installations and configuration complexity.
- Continuous Scanning: CloudWatch Agent allows scheduling automated vulnerability scans at desired intervals for ongoing security.
- ECR Basic Scan: ECR’s built-in basic scan on push offers a lightweight vulnerability check during image uploads without needing separate tools.
Why Other Options Are Less Optimal:
- A. Security Hub: While powerful, Security Hub requires configuring additional integrations for both EKS and ECR, increasing complexity.
- B. Amazon Inspector: Inspector is well-suited for EC2 instances but not optimized for containerized environments like EKS.
- C. Separate Vulnerability Scanning Instance: Launching and managing a dedicated EC2 instance solely for scanning adds unnecessary infrastructure overhead.
By leveraging existing EKS integrations and ECR’s basic scan, option D achieves continuous vulnerability management with minimal operational burden.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.