ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 3.2: Security ImprovementCI/CDSecurityECRDevSecOps

AWS SAP-C02 · Question 72 · Domain 3.2: Security Improvement

A company is using AWS CodePipeline for CI/CD. The pipeline deploys an application to an Amazon EKS cluster. The security team wants to ensure that container images are scanned for vulnerabilities before they are deployed. If a critical vulnerability is found, the pipeline must stop. What is the MOST automated way to implement this?

Answer options:

A.

Use Amazon Inspector to scan the EKS worker nodes.

B.

Use Amazon ECR image scanning. Configure an EventBridge rule to trigger a Lambda function that fails the CodePipeline stage if critical vulnerabilities are found.

C.

Add a manual approval stage in CodePipeline and have the security team manually check the ECR scan results.

D.

Use AWS Shield to block deployments of vulnerable images.

How to approach this question

Combine ECR scanning with EventBridge/Lambda for automated pipeline control.

Full Answer

B.Use Amazon ECR image scanning. Configure an EventBridge rule to trigger a Lambda function that fails the CodePipeline stage if critical vulnerabilities are found.✓ Correct
Use Amazon ECR image scanning. Configure an EventBridge rule to trigger a Lambda function that fails the CodePipeline stage if critical vulnerabilities are found.
Amazon Elastic Container Registry (ECR) supports image scanning on push. When a scan completes, it emits an event to Amazon EventBridge. A Lambda function can be triggered by this event to check the severity of the findings and use the CodePipeline API to fail the deployment stage if critical vulnerabilities exist.

Common mistakes

Relying on manual approvals instead of automated event-driven checks.
71All questions73

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its network architecture across 50 AWS accounts. They require ...HardQ02A financial services company uses AWS Organizations to manage 100+ accounts. The security team ma...MediumQ03An e-commerce company requires a multi-region active-active architecture for its critical order p...MediumQ04A company is setting up a new AWS environment using AWS Control Tower. They need to ensure that a...HardQ05An enterprise has 50 AWS accounts under AWS Organizations. They want to implement a chargeback mo...Medium
View all 75 questions →