Q50 — AWS SAP-C02 Ch.3

Question 50 of 75 | ← Chapter 3

Q275. A company is running a containerized application in the AWS Cloud. The application is running by using Amazon Elastic Container Service (Amazon ECS) on a set of Amazon EC2 instances. The EC2 instances run in an Auto Scaling group. The company uses Amazon Elastic Container Registry (Amazon ECR) to store its container images When a new image version is uploaded, the new image version receives a unique tag. The company needs a solution that inspects new image versions for common vulnerabilities and exposures. The solution must automatically delete new image tags that have Critical or High severity findings. The solution also must notify the development team when such a deletion occurs. Which solution meets these requirements?

Correct Answer: A. Configure scan on push on the repository Use Amazon EventBridge (Amazon CloudWatch Events) to invoke an AWS Step Functions state machine when a scan is complete for images that have Critical or High severity findings. Use the Step Functions state machine to delete the image tag for those images and to notify the development team through Amazon Simple Notification Service (Amazon SNS).

Explanation

A. Configure scan on push on the repository Use Amazon EventBridge (Amazon CloudWatch Events) to invoke an AWS Step Functions state machine when a scan is complete for images that have Critical or High severity findings. Use the Step Functions state machine to delete the image tag for those images and to notify the development team through Amazon Simple Notification Service (Amazon SNS). This solution configures the repository to perform scans on image pushes. When a scan is complete and identifies an image with Critical or High severity findings, Amazon EventBridge is used to invoke an AWS Step Functions state machine to delete the image tag and notify the development team through Amazon SNS. B, C, and D are not valid solutions: B. Configure scan on push on the repository. Configure scan results to be pushed to an Amazon Simple Queue Service (Amazon SQS) queue. Invoke an AWS Lambda function when a new message is added to the SQS queue. Use the Lambda function to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Email Service (Amazon SES). This solution involves configuring the repository to perform scans on image pushes and setting up an Amazon SQS queue to receive scan results. An AWS Lambda function can be invoked when a new message is added to the queue to delete tags with Critical or High severity findings. However, this solution does not meet the requirement of automatically deleting image tags with Critical or High severity findings. Additionally, it sends notification emails through Amazon SES instead of Amazon SNS. C. Schedule an AWS Lambda function to start a manual image scan every hour. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke another Lambda function when a scan is complete. Use the second Lambda function to delete the image tag for images that have Critical or High severity findings Notify the development team by using Amazon Simple Notification Service (Amazon SNS). This solution involves scheduling an AWS Lambda function to perform manual image scans on a periodic basis. However, this approach is not scalable and does not provide real-time scanning for newly uploaded images. Additionally, it does not meet the requirement of automatically deleting image tags with Critical or High severity findings. D. Configure periodic image scan on the repository Configure scan results to be added to an Amazon Simple Queue Service (Amazon SQS) queue. Invoke an AWS Step Functions state machine when a new message is added to the SQS queue. Use the Step Functions state machine to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Email Service (Amazon SES) This solution involves periodically scanning the repository for vulnerabilities and exposing scan results in an Amazon SQS queue. An AWS Step Functions state machine can be used to examine the results of the scans and automatically delete image tags with Critical or High severity findings. However, this solution does not provide real-time scanning for newly uploaded images, which might lead to security vulnerabilities remaining present for extended periods before being detected and removed. Additionally, notification emails are sent through Amazon SES instead of Amazon SNS.