ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 224 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 224
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company is running a containerized application in the AWS Cloud. The application is running by using Amazon Elastic Container Service (Amazon ECS) on a set of Amazon EC2 instances. The EC2 instances run in an Auto Scaling group.

The company uses Amazon Elastic Container Registry (Amazon ECR) to store its container images. When a new image version is uploaded, the new image version receives a unique tag.

The company needs a solution that inspects new image versions for common vulnerabilities and exposures. The solution must automatically delete new image tags that have Critical or High severity findings. The solution also must notify the development team when such a deletion occurs.

Which solution meets these requirements?

  • A. Configure scan on push on the repository. Use Amazon EventBridge to invoke an AWS Step Functions state machine when a scan is complete for images that have Critical or High severity findings. Use the Step Functions state machine to delete the image tag for those images and to notify the development team through Amazon Simple Notification Service (Amazon SNS).
  • B. Configure scan on push on the repository. Configure scan results to be pushed to an Amazon Simple Queue Service (Amazon SQS) queue. Invoke an AWS Lambda function when a new message is added to the SQS queue. Use the Lambda function to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Email Service (Amazon SES).
  • C. Schedule an AWS Lambda function to start a manual image scan every hour. Configure Amazon EventBridge to invoke another Lambda function when a scan is complete. Use the second Lambda function to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Notification Service (Amazon SNS).
  • D. Configure periodic image scan on the repository. Configure scan results to be added to an Amazon Simple Queue Service (Amazon SQS) queue. Invoke an AWS Step Functions state machine when a new message is added to the SQS queue. Use the Step Functions state machine to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Email Service (Amazon SES).
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by emiliocb4 at June 21, 2023, 8:51 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
joleneinthebackyard
Highly Voted 1 year, 2 months ago
Selected Answer: A
You want to look for "scan on push" solution, as scanning periodically is not enough, damage might have been done -> C, D is out, only A, B A sounds complex, but B even worse, how can you put result in SQS? wording is so bad if they means sending message to SQS. Notifying by SES is a straight red flag that AWS exams like to use. Only A makes sense.
upvoted 10 times
kz407
9 months, 3 weeks ago
Problem with this approach is, if you scan only what's pushed, and it has a zero-day vulnerability, you won't see it. Since you are scanning only when you are pushing, you won't detect the vulnerability ever. IMO, scanning periodically gives a better shot. Ideally it should be scanning both on push and periodically.
upvoted 3 times
...
...
kz407
Most Recent 9 months, 3 weeks ago
Selected Answer: A
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html In a nutshell, 2 types of scans. Basic: Scanned against CVE DB, "ON PUSH" or a manual scan. Don't see any way of notifying anywhere. Enhanced: Ongoing scanning with Amazon Inspector, findings delivered via EventBridge notifications. Closest answer would be A.
upvoted 2 times
...
shaaam80
1 year, 1 month ago
Selected Answer: A
Answer A.
upvoted 1 times
...
career360guru
1 year, 1 month ago
Selected Answer: A
Option A
upvoted 2 times
...
NikkyDicky
1 year, 6 months ago
Selected Answer: A
A, but I think step function need to call Lambda to delete tag. there is not direct ecr integration
upvoted 3 times
...
SkyZeroZx
1 year, 6 months ago
Selected Answer: A
Use the building feature if you can, so scan on push. I go with A because other options are not good B - you cannot use SES.
upvoted 2 times
...
Maria2023
1 year, 6 months ago
Selected Answer: A
I vote A since I tested it and confirm it's achievable. As for B - I couldn't find any option to publish the result of the scan to SQS so I stopped there
upvoted 1 times
...
elanelans
1 year, 6 months ago
Selected Answer: A
A meet the requirements. https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html
upvoted 2 times
...
SmileyCloud
1 year, 6 months ago
Selected Answer: A
C and D are out because they are not automatic but rather scheduled. B is out because you don't need SQS for this and def don't need SES. A makes sense because it's much leaner solution.
upvoted 2 times
...
nexus2020
1 year, 6 months ago
Selected Answer: A
Use the building feature if you can, so scan on push. And A make more sense
upvoted 1 times
...
bhanus
1 year, 6 months ago
Selected Answer: A
I go with A because other options are not good B - you cannot use SES. SES is generally used to send Bulk/marketing emails. C- schedule Lambda to scan every hour is not a good approach D - like B you cannot use SES for this use case. So A sounds reasonable
upvoted 2 times
...
emiliocb4
1 year, 6 months ago
why not A ?
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel