AWS Certified Security – Specialty (SCS-C02) — Question 237
A company uses Amazon Elastic Container Registry (Amazon ECR) as the repository for its production applications. A security engineer must implement an automated solution to report any vulnerabilities that ECR enhanced scanning detects. The solution must provide notification of vulnerability findings in an instant message to the company’s Slack account
Which solution will meet these requirements with the MOST operational efficiency?
Answer options
- A. Activate Amazon Inspector scans for the ECR repository. Create an Amazon Simple Notification Service (Amazon SNS) topic. Configure an AWS Chatbot client for Slack that consumes the SNS topic. Create an Amazon EventBridge rule for Amazon Inspector findings. Specify the SNS topic as the target for the rule.
- B. Activate Amazon Inspector scans for the ECR repository. Write a script to use AWS CLI commands to retrieve image scan findings from Amazon Inspector. Configure the script to send the findings to a Slack endpoint. Launch an Amazon EC2 instance to run the script.
- C. Activate Amazon Inspector scans for the ECR repository. Create an AWS Step Functions state machine. Set a first step in the state machine to call the Amazon Inspector ListFindings API operation. Create an Amazon Simple Notification Service (Amazon SNS) topic with Slack as the target. Add a second step in the state machine to call the Amazon SNS Publish API operation.
- D. Activate AWS Security Hub scans for the ECR repository. Create a custom action in Security Hub for findings. Define an Amazon EventBridge rule for the custom action. Configure the EventBridge rule to redirect the findings to a Slack channel.
Correct answer: A
Explanation
Option A is the most operationally efficient as it leverages Amazon Inspector, SNS, and AWS Chatbot to automate vulnerability notifications directly to Slack with minimal manual intervention. Option B requires additional scripting and an EC2 instance, which adds complexity and management overhead. Option C, while automated, introduces unnecessary complexity with AWS Step Functions, and option D uses Security Hub instead of Inspector, which does not align with the requirement to utilize ECR enhanced scanning.