AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 333

A company has a continuous integration pipeline where the company creates container images by using AWS CodeBuild. The created images are stored in Amazon Elastic Container Registry (Amazon ECR).

Checking for and fixing the vulnerabilities in the images takes the company too much time. The company wants to identify the image vulnerabilities quickly and notify the security team of the vulnerabilities.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose two.)

Answer options

• A. Activate Amazon Inspector enhanced scanning for Amazon ECR. Configure the enhanced scanning to use continuous scanning. Set up a topic in Amazon Simple Notification Service (Amazon SNS).
• B. Create an Amazon EventBridge rule for Amazon Inspector findings. Set an Amazon Simple Notification Service (Amazon SNS) topic as the rule target.
• C. Activate AWS Lambda enhanced scanning for Amazon ECR. Configure the enhanced scanning to use continuous scanning. Set up a topic in Amazon Simple Email Service (Amazon SES).
• D. Create a new AWS Lambda function. Invoke the new Lambda function when scan findings are detected.
• E. Activate default basic scanning for Amazon ECR for all container images. Configure the default basic scanning to use continuous scanning. Set up a topic in Amazon Simple Notification Service (Amazon SNS).

Correct answer: A, B

Explanation

Amazon Inspector enhanced scanning provides automated, continuous vulnerability scanning of container images in Amazon ECR, which satisfies the requirement with minimal overhead. To route these findings to the security team automatically, an Amazon EventBridge rule can capture the Inspector findings and forward them directly to an Amazon SNS topic for notification. Basic scanning does not support continuous scanning, and using custom AWS Lambda functions introduces unnecessary operational overhead compared to native EventBridge integrations.