Q95 — AWS DVA-C02 Ch.1
Question 95 of 100 | ← Chapter 1
To harden container images before they run in production, the company’s application uses Amazon Elastic Container Registry (Amazon ECR) as the image registry, Amazon Elastic Kubernetes Service (Amazon EKS) as the compute platform, and an AWS CodePipeline pipeline to orchestrate container integration and delivery (CI/CD) workflows. Static application security testing currently occurs in the final stage of the pipeline—after the new image is deployed to the development namespace in the EKS cluster. Developers want to perform container image analysis earlier in the CI/CD pipeline, before deployment. Which solution is operationally most efficient and meets these requirements?
- A. Build the container image and run the docker scan command locally. Resolve any issues before pushing changes to the source code repository. Write a pre-commit hook to enforce this workflow before commits.
- B. Create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan images upon push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check scan results and fail the pipeline if issues are found. ✓
- C. Create a new CodePipeline stage that occurs after retrieving source code from its repository. Run security scans on the latest version of source code. Fail the pipeline if issues are found.
- D. Add an action in the pipeline’s deploy stage that occurs before deployment to the EKS cluster. Configure ECR basic image scanning to scan images upon push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check scan results and fail the pipeline if issues are found.
Correct Answer: B. Create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan images upon push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check scan results and fail the pipeline if issues are found.
Explanation
Option B is the most operationally efficient solution: it introduces a new CodePipeline stage after container image build, configures ECR basic image scanning to trigger on image push, and uses an AWS Lambda function to validate scan results and fail the pipeline on findings. This enables security scanning immediately after image build and before promotion—ensuring early detection without requiring local tooling (Option A), source-code-only scanning (Option C), or late-stage deployment-phase checks (Option D). Thus, Option B delivers optimal efficiency and meets the requirement for early, automated image analysis.