AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 316

A company uses Amazon Elastic Container Registry (Amazon ECR) private registries to store container images.

A DevOps team needs to ensure that the container images are regularly scanned for software package vulnerabilities.

Which solution will meet this requirement?

Answer options

• A. Enable enhanced scanning for private registries in Amazon ECR.
• B. Enable basic continuous scanning for private registries in Amazon ECR.
• C. Create an AWS System Manager Automation document to scan images by using the AWS SDK. Configure the Automation document to run when a new image is pushed to an ECR registry.
• D. Create an AWS Lambda function that scans all images in Amazon ECR by using the AWS SDK. Create an Amazon EventBridge rule to invoke the Lambda function each day.

Correct answer: A

Explanation

Amazon ECR enhanced scanning integrates with Amazon Inspector to provide continuous scanning of container images for software vulnerabilities, automatically scanning them on push and whenever new vulnerabilities are added to the database. Basic scanning only supports scanning on push or manual triggers and does not offer a continuous scanning option, making Option B invalid. Options C and D are incorrect because they introduce unnecessary operational complexity and custom code when a native, fully managed AWS solution is readily available.