ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 3.2: Security ImprovementSecurityCI/CDECRCodePipeline

AWS SAP-C02 · Question 63 · Domain 3.2: Security Improvement

A company is using AWS CodePipeline for its CI/CD process. The pipeline deploys an application to an Amazon ECS cluster. The security team requires that every container image must be scanned for vulnerabilities before it is deployed. If critical vulnerabilities are found, the pipeline must fail automatically. How can the Architect implement this requirement?

Answer options:

A.

Configure Amazon ECR to scan on push. Add an AWS Step Functions state machine or a Lambda function to the pipeline to check the ECR scan results and fail the pipeline if critical vulnerabilities exist.

B.

Enable AWS Security Hub integration with CodePipeline to automatically block deployments with vulnerabilities.

C.

Use AWS CodeBuild to run an Amazon Inspector agent inside the container during the build phase.

D.

Configure the ECS service to refuse deployment of images with critical vulnerabilities.

How to approach this question

Understand how ECR scanning integrates with CodePipeline (requires a custom evaluation step).

Full Answer

A.Configure Amazon ECR to scan on push. Add an AWS Step Functions state machine or a Lambda function to the pipeline to check the ECR scan results and fail the pipeline if critical vulnerabilities exist.✓ Correct
Configure Amazon ECR to scan on push. Add an AWS Step Functions state machine or a Lambda function to the pipeline to check the ECR scan results and fail the pipeline if critical vulnerabilities exist.
Amazon Elastic Container Registry (ECR) can be configured to automatically scan images for vulnerabilities when they are pushed. However, CodePipeline does not natively pause or fail based on these scan results. To enforce the security requirement, you must add an action to your CodePipeline (typically an AWS Lambda function) that calls the ECR API to retrieve the scan findings. If the Lambda function detects 'Critical' findings, it returns a failure signal to CodePipeline, halting the deployment.

Common mistakes

Assuming CodePipeline natively integrates with ECR scan results without a custom Lambda action.
62All questions64

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →