Topic 1 Question 322
3 つ選択A company is running an internal application in an Amazon Elastic Container Service (Amazon ECS) cluster on Amazon EC2. The ECS cluster instances can connect to the public internet. The ECS tasks that run on the cluster instances are configured to use images from both private Amazon Elastic Container Registry (Amazon ECR) repositories and a public ECR registry repository.
A new security policy requires the company to remove the ECS cluster's direct access to the internet. The company must remove any NAT gateways and internet gateways from the VPC that hosts the cluster. A DevOps engineer needs to ensure the ECS cluster can still download images from both the public ECR registry and the private ECR repositories. Images from the public ECR registry must remain up-to-date. New versions of the images must be available to the ECS cluster within 24 hours of publication.
Which combination of steps will meet these requirements with the LEAST operational overhead?
Create an AWS CodeBuild project and a new private ECR repository for each image that is downloaded from the public ECR registry. Configure each project to pull the image from the public ECR repository and push the image to the new private ECR repository. Create an Amazon EventBridge rule that invokes the CodeBuild project once every 24 hours. Update each task definition in the ECS cluster to refer to the new private ECR repository.
Create a new Amazon ECR pull through cache rule for each image that is downloaded from the public ECR registry. Create an AWS Lambda function that invokes each pull through cache rule. Create an Amazon EventBridge rule that invokes the Lambda function once every 24 hours. Update each task definition in the ECS cluster to refer to the image from the pull through cache.
Create a new Amazon ECR pull through cache rule for the public ECR registry. Update each task definition in the ECS cluster to refer to the image from the pull through cache. Ensure each public image has been downloaded through the pull through cache at least once before removing internet access from the VPC.
Create an Amazon ECR interface VPC endpoint for the public ECR repositories that are in the VPC.
Create an Amazon ECR interface VPC endpoint for the private ECR repositories that are in the VPC.
Create an Amazon S3 gateway endpoint in the VPC.
ユーザの投票
コメント(4)
- 正解だと思う選択肢: CEF
By using an Amazon ECR pull through cache rule (Option C) and setting up the necessary VPC endpoints for private ECR (Option E) and S3 (Option F), the company can:
Eliminate Internet Access: Remove NAT gateways and internet gateways from the VPC. Maintain Image Access: Allow ECS tasks to pull images from both private and public ECR repositories without internet access. Ensure Image Updates: Automatically receive updates to public images within 24 hours via the pull through cache. Minimize Operational Overhead: Avoid complex setups with additional services like CodeBuild, Lambda, or custom scripts.
👍 3f4b18ba2024/11/22 By implementing the pull through cache rule and setting up VPC endpoints for both public and private ECR repositories, the ECS cluster can securely access required container images without direct internet access. This approach ensures compliance with the security policy while maintaining operational efficiency and timely updates to images.
👍 2uncledana2024/11/18C, E, F https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html
VPC endpoints currently don't support Amazon ECR Public repositories. Consider using a pull through cache rule to host the public image in a private repository in the same Region as the VPC endpoint. For more information
The image metadata and layers in the ECR are stored in Amazon S3. Creating an S3 Gateway endpoint enables the ECS cluster to exchange data between ECR and S3 without the internet.
👍 2rainwalker2024/11/19
シャッフルモード