Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 257

A company runs its container workloads in AWS App Runner. A DevOps engineer manages the company's container repository in Amazon Elastic Container Registry (Amazon ECR).

The DevOps engineer must implement a solution that continuously monitors the container repository. The solution must create a new container image when the solution detects an operating system vulnerability or language package vulnerability.

Which solution will meet these requirements?

Use EC2 Image Builder to create a container image pipeline. Use Amazon ECR as the target repository. Turn on enhanced scanning on the ECR repository. Create an Amazon EventBridge rule to capture an Inspector? finding event. Use the event to invoke the image pipeline. Re-upload the container to the repository.

Use EC2 Image Builder to create a container image pipeline. Use Amazon ECR as the target repository. Enable Amazon GuardDuty Malware Protection on the container workload. Create an Amazon EventBridge rule to capture a GuardDuty finding event. Use the event to invoke the image pipeline.

Create an AWS CodeBuild project to create a container image. Use Amazon ECR as the target repository. Turn on basic scanning on the repository. Create an Amazon EventBridge rule to capture an ECR image action event. Use the event to invoke the CodeBuild project. Re-upload the container to the repository.

Create an AWS CodeBuild project to create a container image. Use Amazon ECR as the target repository. Configure AWS Systems Manager Compliance to scan all managed nodes. Create an Amazon EventBridge rule to capture a configuration compliance state change event. Use the event to invoke the CodeBuild project.

Correct Answer: A

To meet the requirements, the solution must continuously monitor the container repository for operating system and language package vulnerabilities, and create a new container image upon detection of such vulnerabilities. Using EC2 Image Builder to create a container image pipeline and turning on enhanced scanning on the ECR repository enables comprehensive and ongoing scanning for vulnerabilities through Amazon Inspector. By creating an Amazon EventBridge rule to capture Inspector finding events, the solution can automatically invoke the image pipeline whenever a vulnerability is detected, ensuring that a new container image is created and uploaded to the repository, thus maintaining the security and integrity of the container workloads.

Discussion

tgvOption: A

---> A

trungtdOption: A

Enhanced scanning provides deep and comprehensive scanning for vulnerabilities in container images using Amazon Inspector.

TEC1Option: A

Turn on enhanced scanning in the Amazon ECR repository settings. This enables Amazon Inspector to scan images for vulnerabilities.

TEC1

https://docs.aws.amazon.com/inspector/latest/user/scanning-ecr.html#:~:text=To%20configure%20your%20enhanced%20scanning%20settings&text=Open%20the%20Amazon%20ECR%20console,registry%2C%20and%20then%20choose%20Settings.