Q69 — AWS DVA-C02 Ch.3
Question 69 of 100 | ← Chapter 3
A company wants to harden its container images before they enter production. The company’s application uses Amazon Elastic Container Registry (Amazon ECR) as the image registry, Amazon Elastic Kubernetes Service (Amazon EKS) for compute, and AWS CodePipeline for CI/CD workflows integrating containers. After deploying a new container image to the development namespace in the EKS cluster, end-to-end application testing occurs in the final stage of the pipeline. Developers want to insert an analysis stage earlier in the CI/CD pipeline to analyze container images before deployment. Which solution meets these requirements with the highest operational efficiency?
- A. Build the container image and run the docker scan command locally. Remediate any findings before pushing changes to the source code repository. Implement a pre-commit hook to enforce this workflow before commits.
- B. Create a new CodePipeline stage that occurs after building the container image. Configure ECR basic image scanning to scan images upon push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check scan results and fail the pipeline if findings are detected. ✓
- C. Create a new CodePipeline stage that occurs after retrieving source code from its repository. Run a security scanner against the latest version of the source code. Fail the pipeline if findings are detected.
- D. Add an action to the pipeline’s deploy stage so that it occurs before deployment to the EKS cluster. Configure ECR basic image scanning to scan images upon push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check scan results and fail the pipeline if findings are detected.
Correct Answer: B. Create a new CodePipeline stage that occurs after building the container image. Configure ECR basic image scanning to scan images upon push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check scan results and fail the pipeline if findings are detected.
Explanation
Integration into CI/CD pipeline: Option B proposes performing security scanning in a pipeline stage immediately after building the container image — an ideal timing point, because scanning before pushing the image to ECR ensures scan results are known before the image enters the EKS cluster. Using ECR basic image scanning: AWS ECR provides built-in image scanning that automatically runs security scans upon image push. This guarantees every image version pushed to the repository is scanned. Lambda function as action provider: An AWS Lambda function can serve as an action provider to inspect scan results and fail the pipeline if vulnerabilities are found. It integrates seamlessly into CodePipeline workflows for automated security testing and pipeline state management. Why other options are less suitable: Option A: While running docker scan locally enables scanning, it relies on manual developer steps and does not fit automated CI/CD pipeline requirements. Option C: Running security scanning at the source code retrieval stage occurs too early — no image has yet been built or pushed, failing to meet the requirement to scan images before they enter the EKS cluster. Option D: Adding scanning to the deploy stage performs security checks just before deployment, but makes remediation more complex and violates the best practice of scanning immediately after image push. Therefore, Option B best integrates security scanning into the CI/CD pipeline, ensuring images undergo necessary security testing and validation before deployment to EKS.