Topic 1 Question 252
2 つ選択A company needs to increase the security of the container images that run in its production environment. The company wants to integrate operating system scanning and programming language package vulnerability scanning for the containers in its CI/CD pipeline. The CI/CD pipeline is an AWS CodePipeline pipeline that includes an AWS CodeBuild build project, AWS CodeDeploy actions, and an Amazon Elastic Container Registry (Amazon ECR) repository.
A DevOps engineer needs to add an image scan to the CI/CD pipeline. The CI/CD pipeline must deploy only images without CRITICAL and HIGH findings into production.
Which combination of steps will meet these requirements?
Use Amazon ECR basic scanning.
Use Amazon ECR enhanced scanning.
Configure Amazon ECR to submit a Rejected status to the CI/CD pipeline when the image scan returns CRITICAL or HIGH findings.
Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the image scan is completed. Configure the Lambda function to consume the Amazon Inspector scan status and to submit an Approved or Rejected status to the CI/CD pipeline.
Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the image scan is completed. Configure the Lambda function to consume the Clair scan status and to submit an Approved or Rejected status to the CI/CD pipeline.
ユーザの投票
コメント(3)
- 正解だと思う選択肢: BD
---> B D
As per documentation, basic scanning use CVEs from the open-source Clair project. Enhanced scanning is an integration with Amazon Inspector. This suggests both options use different database/scanners.
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-basic.html
👍 3tgv2024/07/19 - 正解だと思う選択肢: BD
B. Use Amazon ECR Enhanced Scanning
- Comprehensive Vulnerability Checks: Amazon ECR enhanced scanning is integrated with Amazon Inspector, providing thorough security checks on container images. It scans for both operating system vulnerabilities and application-level vulnerabilities in programming language packages, which basic scanning does not support.
- Integration with Amazon Inspector: Enhanced scanning leverages Amazon Inspector for deeper vulnerability analysis, ensuring the images are secure before deployment.
- CRITICAL and HIGH Severity Detection: The enhanced scanning option specifically identifies CRITICAL and HIGH vulnerabilities, aligning with the requirement to only deploy images that do not have these issues.
👍 2jamesf2024/07/30 All images pushed to Amazon ECR after enhanced scanning is turned on are continually scanned for the configured duration.
👍 1d0229a22024/07/24
シャッフルモード