Q55 — AWS SCS-C02 Ch.1

Question 55 of 100 | ← Chapter 1

A company is running internal microservices on Amazon Elastic Container Service (Amazon ECS) with the Amazon EC2 launch type. The company is using Amazon Elastic Container Registry (Amazon ECR) private repositories. A security engineer needs to encrypt the private repositories by using AWS Key Management Service (AWS KMS). The security engineer also needs to analyze the container images for any common vulnerabilities and exposures (CVEs). Which solution will meet these requirements?

Correct Answer: B. Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.

Explanation

题目核心在于ECR私有仓库的KMS加密和漏洞扫描功能实现。根据AWS规定,已存在的ECR仓库无法直接启用KMS加密,必须重建仓库时选择加密选项;同时ECR内置镜像扫描功能需在仓库创建时激活,推送新镜像后自动生成CVE报告。B选项通过重建仓库同时配置加密和扫描,符合操作规范,其他选项涉及的代理安装、存量仓库加密或非专用扫描工具均无法同时满足两项需求。