AWS Certified Solutions Architect - Professional
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
A company is operating a containerized application on Amazon ECS using EC2 instances within an Auto Scaling group. They store container images in Amazon ECR, which are tagged uniquely upon new version uploads. The company requires a solution to automatically scan new image versions for vulnerabilities and delete tags with Critical or High severity findings, while also notifying the development team of such deletions. Which solution meets these requirements?
Explanation:
The correct answer is A. The requirement specifies that new image versions must be inspected for vulnerabilities and promptly deleted if findings of Critical or High severity are found. The solution should also notify the development team of these deletions. Option A configures 'scan on push' directly on the repository, ensuring that scan results are immediately assessed. It utilizes Amazon EventBridge to trigger an AWS Step Functions state machine, which automates the deletion of high-risk image tags and notifies the development team through Amazon SNS. This approach ensures real-time scanning and prompt action, meeting the company's requirements effectively. Options B, C, and D either involve unnecessary complexity or do not provide immediate scanning upon image push, making them less suitable.