AWS SAP-C02 · Question 72 · Domain 3.2: Security Improvement
A company is using AWS CodePipeline for CI/CD. The pipeline deploys an application to an Amazon EKS cluster. The security team wants to ensure that container images are scanned for vulnerabilities before they are deployed. If a critical vulnerability is found, the pipeline must stop. What is the MOST automated way to implement this?
Answer options:
Use Amazon Inspector to scan the EKS worker nodes.
Use Amazon ECR image scanning. Configure an EventBridge rule to trigger a Lambda function that fails the CodePipeline stage if critical vulnerabilities are found.
Add a manual approval stage in CodePipeline and have the security team manually check the ECR scan results.
Use AWS Shield to block deployments of vulnerable images.
75 questions · hints · full answers · grading
Expert