AWS Certified DevOps Engineer - Professional DOP-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

AWS Certified DevOps Engineer - Professional DOP-C02 Exam - Question 238

A company is migrating its container-based workloads to an AWS Organizations multi-account environment. The environment consists of application workload accounts that the company uses to deploy and run the containerized workloads. The company has also provisioned a shared services account for shared workloads in the organization.

The company must follow strict compliance regulations. All container images must receive security scanning before they are deployed to any environment. Images can be consumed by downstream deployment mechanisms after the images pass a scan with no critical vulnerabilities. Pre-scan and post-scan images must be isolated from one another so that a deployment can never use pre-scan images.

A DevOps engineer needs to create a strategy to centralize this process.

Which combination of steps will meet these requirements with the LEAST administrative overhead? (Choose two.)

Show Answer
Correct Answer: AE

To meet the requirements with the least administrative overhead, it is appropriate to create Amazon Elastic Container Registry (Amazon ECR) repositories in the shared services account. This ensures centralized management. Create separate repositories for pre-scan and post-scan images. Implementing Amazon ECR image scanning to run on new image pushes to the pre-scan repositories ensures all images are scanned per the regulation. Use resource-based policies to control access appropriately. Additionally, creating an AWS Lambda function that is triggered by Amazon EventBridge rules to react to image scanning completed events and push images without critical vulnerabilities to the post-scan repositories minimizes administrative overhead by automating the process after scanning, and avoids the complexity of managing multiple pipelines.

Discussion

9 comments
Sign in to comment
trungtdOptions: AE
Jul 14, 2024

LEAST administrative overhead: => Should create ECR repositories in the shared services account => A And should create only 1 Lambda function => E D wrong because it involves creating and managing multiple pipelines, which increases administrative overhead significantly

xdkonorek2Options: AE
Jul 5, 2024

E > D for LEAST administrative overhead

jamesfOptions: AE
Jul 31, 2024

keywords: LEAST Administrative overhead Option A centralizes the repository management in the shared services account, simplifying access control and configuration management. Pre-scan and post-scan repositories are clearly separated, ensuring that only post-scan images are deployed. Option E uses event-driven automation to handle the scanning results and image promotion, reducing manual intervention and ensuring that only images that pass the security scan are moved to the post-scan repositories. This approach is efficient and minimizes administrative overhead compared to manually setting up pipelines or replication mechanisms.

aws_godOptions: AD
Sep 13, 2024

Lambda is not meant to work with Docker

auxwwwOptions: AD
Aug 7, 2024

Why not E - To push images to the post-scan repo, you need a custom lambda container to run docker pull and push commands which is more complicated than Option D

limelight04Options: AD
Aug 26, 2024

AD gives the least administrative overhead

Anonymous
Jul 15, 2024

---> AE

auxwww
Aug 7, 2024

Why E is not optimal - https://stackoverflow.com/questions/51158595/build-and-push-docker-image-to-aws-ecr-using-lambda

jojewi8143Options: AE
Feb 1, 2025

AE because lambda