Q23 — AWS DOP-C02 Ch.3
Question 23 of 100 | ← Chapter 3
A company uses Amazon Elastic Container Registry (Amazon ECR) private registries to store container images. A development team needs to ensure container images are scanned regularly for software vulnerabilities. Which solution meets this requirement?
- A. Enable enhanced scanning for the Amazon ECR private registry. ✓
- B. Enable basic continuous scanning for the Amazon ECR private registry.
- C. Create an AWS Systems Manager Automation document that scans images using the AWS SDK. Configure the Automation document to run when a new image is pushed to the ECR registry.
- D. Create an AWS Lambda function that scans all images in Amazon ECR using the AWS SDK. Create an Amazon EventBridge rule scheduled daily to invoke the Lambda function.
Correct Answer: A. Enable enhanced scanning for the Amazon ECR private registry.
Explanation
Amazon ECR provides built-in vulnerability scanning. Basic scanning runs automatically on image push but does not support configurable periodic scanning. Enhanced scanning supports on-demand and scheduled scans, delivering deeper vulnerability assessments aligned with regular scanning requirements. Options C and D introduce operational overhead and maintenance burden, whereas option A leverages a fully managed, native ECR feature. Option B does not satisfy the ‘regular’ (i.e., scheduled) scanning requirement.