AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 283

A company is running an internal application in an Amazon Elastic Container Service (Amazon ECS) cluster on Amazon EC2. The ECS cluster instances can connect to the public internet. The ECS tasks that run on the cluster instances are configured to use images from both private Amazon Elastic Container Registry (Amazon ECR) repositories and a public ECR registry repository.

A new security policy requires the company to remove the ECS cluster's direct access to the internet. The company must remove any NAT gateways and internet gateways from the VPC that hosts the cluster. A DevOps engineer needs to ensure the ECS cluster can still download images from both the public ECR registry and the private ECR repositories. Images from the public ECR registry must remain up-to-date. New versions of the images must be available to the ECS cluster within 24 hours of publication.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose three.)

Answer options

• A. Create an AWS CodeBuild project and a new private ECR repository for each image that is downloaded from the public ECR registry. Configure each project to pull the image from the public ECR repository and push the image to the new private ECR repository. Create an Amazon EventBridge rule that invokes the CodeBuild project once every 24 hours. Update each task definition in the ECS cluster to refer to the new private ECR repository.
• B. Create a new Amazon ECR pull through cache rule for each image that is downloaded from the public ECR registry. Create an AWS Lambda function that invokes each pull through cache rule. Create an Amazon EventBridge rule that invokes the Lambda function once every 24 hours. Update each task definition in the ECS cluster to refer to the image from the pull through cache.
• C. Create a new Amazon ECR pull through cache rule for the public ECR registry. Update each task definition in the ECS cluster to refer to the image from the pull through cache. Ensure each public image has been downloaded through the pull through cache at least once before removing internet access from the VPC.
• D. Create an Amazon ECR interface VPC endpoint for the public ECR repositories that are in the VPC.
• E. Create an Amazon ECR interface VPC endpoint for the private ECR repositories that are in the VPC.
• F. Create an Amazon S3 gateway endpoint in the VPC.

Correct answer: C, E, F

Explanation

To allow an ECS cluster in a private VPC without internet access to retrieve images from ECR, you must configure interface VPC endpoints for ECR (Option E) and a gateway VPC endpoint for Amazon S3, as ECR utilizes S3 to store image layers (Option F). To access public ECR images without internet access, an ECR pull-through cache rule can be created; pulling the images once before severing internet access caches them, and ECR automatically keeps them updated within 24 hours when pulled thereafter (Option C). Options A and B are incorrect because they introduce unnecessary operational complexity with CodeBuild, Lambda, and EventBridge.