AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 366

A DevOps engineer is creating a CI/CD pipeline to build container images. The engineer needs to store container images in Amazon Elastic Container Registry (Amazon ECR) and scan the images for common vulnerabilities. The CI/CD pipeline must be resilient to outages in upstream source container image repositories.

Which solution will meet these requirements?

Answer options

• A. Create an ECR private repository in the private registry to store the container images and scan images when images are pushed to the repository. Configure a replication rule in the private registry to replicate images from upstream repositories.
• B. Create an ECR public repository in the public registry to cache images from upstream source repositories. Create an ECR private repository to store images. Configure the private repository to scan images when images are pushed to the repository.
• C. Create an ECR public repository in the public registry. Configure a pull through cache rule for the repository. Create an ECR private repository to store images. Configure the ECR private registry to perform basic scanning.
• D. Create an ECR private repository in the private registry to store the container images. Enable basic scanning for the private registry, and create a pull through cache rule.

Correct answer: D

Explanation

Amazon ECR's pull through cache feature allows you to cache images from upstream registries directly into your private ECR registry, providing resilience against external registry outages. By combining this with basic scanning enabled at the private registry level, any pushed or cached images will be automatically scanned for vulnerabilities. This approach satisfies all requirements using native ECR private registry capabilities.