Q99 — AWS DOP-C02 Ch.1

Question 99 of 100 | ← Chapter 1

A company uses an HPC platform to run data analytics workloads. It uses AWS CodeBuild to create container images and stores them in Amazon Elastic Container Registry (Amazon ECR). These images are then deployed on Amazon Elastic Kubernetes Service (Amazon EKS). To maintain compliance, the company must ensure images are signed before deploying to Amazon EKS. Signing keys must be rotated regularly and managed automatically. The company also needs to track who generated the signature.

Correct Answer: D. Use CodeBuild to build the image. Sign the image using AWS Signer before pushing it to Amazon ECR. Use AWS CloudTrail to track the signer.

Explanation

This question addresses implementing container image signing and compliance management in AWS. AWS Signer is a fully managed code-signing service supporting automatic key rotation without manual intervention. Integrating signing into the CodeBuild build process ensures images are signed before being pushed to ECR, satisfying pre-deployment validation requirements. AWS CloudTrail records AWS Signer API calls, providing auditable tracking of who performed the signing. Compared to other options, option D achieves native integration across AWS services, minimizing custom scripting and extra steps, resulting in the lowest operational overhead. AWS documentation confirms that AWS Signer supports automatic key lifecycle management and seamless integration with CodeBuild and ECR.