AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 265

A company needs to increase the security of the container images that run in its production environment. The company wants to integrate operating system scanning and programming language package vulnerability scanning for the containers in its CI/CD pipeline. The CI/CD pipeline is an AWS CodePipeline pipeline that includes an AWS CodeBuild build project, AWS CodeDeploy actions, and an Amazon Elastic Container Registry (Amazon ECR) repository.

A DevOps engineer needs to add an image scan to the CI/CD pipeline. The CI/CD pipeline must deploy only images without CRITICAL and HIGH findings into production.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Use Amazon ECR basic scanning.
• B. Use Amazon ECR enhanced scanning.
• C. Configure Amazon ECR to submit a Rejected status to the CI/CD pipeline when the image scan returns CRITICAL or HIGH findings.
• D. Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the image scan is completed. Configure the Lambda function to consume the Amazon Inspector scan status and to submit an Approved or Rejected status to the CI/CD pipeline.
• E. Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the image scan is completed. Configure the Lambda function to consume the Clair scan status and to submit an Approved or Rejected status to the CI/CD pipeline.

Correct answer: B, D

Explanation

Amazon ECR enhanced scanning integrates with Amazon Inspector to scan both operating system and programming language package vulnerabilities, which fulfills the requirement, whereas basic scanning (which uses Clair) only scans OS packages. Because ECR cannot directly send pipeline approval or rejection signals to CodePipeline, an Amazon EventBridge rule is required to trigger an AWS Lambda function upon scan completion to evaluate the Inspector findings and submit the appropriate status.