Q95 — AWS DVA-C02 Ch.1

Question 95 of 100 | ← Chapter 1

To harden container images before they run in production, the company’s application uses Amazon Elastic Container Registry (Amazon ECR) as the image registry, Amazon Elastic Kubernetes Service (Amazon EKS) as the compute platform, and an AWS CodePipeline pipeline to orchestrate container integration and delivery (CI/CD) workflows. Static application security testing currently occurs in the final stage of the pipeline—after the new image is deployed to the development namespace in the EKS cluster. Developers want to perform container image analysis earlier in the CI/CD pipeline, before deployment. Which solution is operationally most efficient and meets these requirements?

Correct Answer: B. Create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan images upon push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check scan results and fail the pipeline if issues are found.

Explanation

Option B is the most operationally efficient solution: it introduces a new CodePipeline stage after container image build, configures ECR basic image scanning to trigger on image push, and uses an AWS Lambda function to validate scan results and fail the pipeline on findings. This enables security scanning immediately after image build and before promotion—ensuring early detection without requiring local tooling (Option A), source-code-only scanning (Option C), or late-stage deployment-phase checks (Option D). Thus, Option B delivers optimal efficiency and meets the requirement for early, automated image analysis.