DOP-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

DOP-C02 Exam - Question 188

A company runs an application for multiple environments in a single AWS account. An AWS CodePipeline pipeline uses a development Amazon Elastic Container Service (Amazon ECS) cluster to test an image for the application from an Amazon Elastic Container Registry (Amazon ECR) repository. The pipeline promotes the image to a production ECS cluster.

The company needs to move the production cluster into a separate AWS account in the same AWS Region. The production cluster must be able to download the images over a private connection.

Which solution will meet these requirements?

Show Answer
Correct Answer: D

The best solution is to use Amazon ECR VPC endpoints and an Amazon S3 gateway endpoint, while setting a repository policy on the production ECR repository in the main AWS account. This policy should allow the production ECS tasks in the separate AWS account to pull images from the main account. Additionally, configuring the production ECS task execution role to have permission to download the image from the ECR repository ensures that images are downloaded over a private connection. This meets the requirement for a private connection and avoids the need to maintain separate ECR repositories.

Discussion

12 comments
Sign in to comment
dznOption: D
Mar 4, 2024

Use ECR VPC endpoints is necessary to meet the below requirements. `download the images over a private connection.`

PrasannaBalajiOption: D
Dec 29, 2023

D - Using Amazon ECR VPC endpoints ensures that the ECS tasks in both the development and production clusters can pull Docker images securely over a private connection.

csG13Option: D
Dec 29, 2023

It's D

kabaryOption: D
Jan 1, 2024

Answer is D.

ozansenturkOption: D
Jan 2, 2024

https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html

DanShoneOption: D
Mar 16, 2024

ECR VPC endpoints is needed to meet "download the images over a private connection."

dkpOption: D
Apr 14, 2024

Ans D: Amazon ECS tasks to pull private images from Amazon ECR, you must create a gateway endpoint for Amazon S3. The gateway endpoint is required because Amazon ECR uses Amazon S3 to store your image layers.

c3518fcOption: D
Apr 25, 2024

https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html

poctest
Jan 11, 2024

Don't see the difference between A & D

denccc
Jan 18, 2024

It's D, no need to create a seperate ECR repo in the other account, just update the policy of the ECR repo in the main account to allow cross-account access.

thanhnv142Option: C
Feb 12, 2024

C is correct: ECR private image replication can allow replicate image to the new account A and D: both mentions S3 gw, which is unnecessary B: no mention of how to replicate images cross account

testhardOption: C
Feb 23, 2024

https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html

GomerOption: D
Jul 4, 2024

Based the references provided, it would appear that both "C" and "D" could work to distribute an image, EXCEPT for the ""private connection" requirement. It's also seems like a cleaner solution to just rely on one ECR repository, rather than replicate repo's to other accounts in same region.