Q14 — AWS SCS-C02 Ch.1

Question 14 of 100 | ← Chapter 1

A company is using Amazon Elastic Container Service (Amazon ECS) to run its container-based application on AWS. The company needs to ensure that the container images contain no severe vulnerabilities. The company also must ensure that only specific IAM roles and specific AWS accounts can access the container images. Which solution will meet these requirements with the LEAST management overhead?

Correct Answer: C. Pull images from the public container registry. Publish the images to Amazon Elastic Container Registry (Amazon ECR) repositories with scan on push configured in a centralized AWS account. Use a CI/CD pipeline to deploy the images to different AWS accounts. Use repository policies and identity-based policies to restrict access to which IAM principals and accounts can access the images.  

Explanation

题干涉及确保容器镜像无严重漏洞并限制访问权限。Amazon ECR提供镜像推送时自动扫描漏洞的功能,符合漏洞检测需求。访问控制需结合仓库策略(跨账户授权)和身份策略(IAM角色权限)。选项C正确使用ECR的扫描配置,并通过仓库策略(resource policy)与身份策略(identity-based policy)共同限制访问,覆盖跨账户及特定IAM主体。选项A未提及仓库策略,可能导致跨账户权限不足;选项B的自建仓库维护成本高;选项D的CodeArtifact并非专用容器注册表,集成度较低。参考AWS文档中ECR的镜像扫描、跨账户访问最佳实践。