ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 238 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 238
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company is migrating its container-based workloads to an AWS Organizations multi-account environment. The environment consists of application workload accounts that the company uses to deploy and run the containerized workloads. The company has also provisioned a shared services account for shared workloads in the organization.

The company must follow strict compliance regulations. All container images must receive security scanning before they are deployed to any environment. Images can be consumed by downstream deployment mechanisms after the images pass a scan with no critical vulnerabilities. Pre-scan and post-scan images must be isolated from one another so that a deployment can never use pre-scan images.

A DevOps engineer needs to create a strategy to centralize this process.

Which combination of steps will meet these requirements with the LEAST administrative overhead? (Choose two.)

  • A. Create Amazon Elastic Container Registry (Amazon ECR) repositories in the shared services account: one repository for each pre-scan image and one repository for each post-scan image. Configure Amazon ECR image scanning to run on new image pushes to the pre-scan repositories. Use resource-based policies to grant the organization write access to the pre-scan repositories and read access to the post-scan repositories.
  • B. Create pre-scan Amazon Elastic Container Registry (Amazon ECR) repositories in each account that publishes container images. Create repositories for post-scan images in the shared services account. Configure Amazon ECR image scanning to run on new image pushes to the pre-scan repositories. Use resource-based policies to grant the organization read access to the post-scan repositories.
  • C. Configure image replication for each image from the image's pre-scan repository to the image's post-scan repository.
  • D. Create a pipeline in AWS CodePipeline for each pre-scan repository. Create a source stage that runs when new images are pushed to the pre-scan repositories. Create a stage that uses AWS CodeBuild as the action provider. Write a buildspec.yaml definition that determines the image scanning status and pushes images without critical vulnerabilities to the post-scan repositories.
  • E. Create an AWS Lambda function. Create an Amazon EventBridge rule that reacts to image scanning completed events and invokes the Lambda function. Write function code that determines the image scanning status and pushes images without critical vulnerabilities to the post-scan repositories.
Show Suggested Answer Hide Answer
Suggested Answer: AE 🗳️
by xdkonorek2 at July 5, 2024, 3:47 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
trungtd
Highly Voted 11 months, 1 week ago
Selected Answer: AE
LEAST administrative overhead: => Should create ECR repositories in the shared services account => A And should create only 1 Lambda function => E D wrong because it involves creating and managing multiple pipelines, which increases administrative overhead significantly
upvoted 5 times
...
jojewi8143
Most Recent 4 months, 2 weeks ago
Selected Answer: AE
AE because lambda
upvoted 1 times
...
aws_god
9 months, 1 week ago
Selected Answer: AD
Lambda is not meant to work with Docker
upvoted 4 times
...
limelight04
9 months, 4 weeks ago
Selected Answer: AD
AD gives the least administrative overhead
upvoted 3 times
...
auxwww
10 months, 2 weeks ago
Why E is not optimal - https://stackoverflow.com/questions/51158595/build-and-push-docker-image-to-aws-ecr-using-lambda
upvoted 2 times
...
auxwww
10 months, 2 weeks ago
Selected Answer: AD
Why not E - To push images to the post-scan repo, you need a custom lambda container to run docker pull and push commands which is more complicated than Option D
upvoted 3 times
...
jamesf
10 months, 3 weeks ago
Selected Answer: AE
keywords: LEAST Administrative overhead Option A centralizes the repository management in the shared services account, simplifying access control and configuration management. Pre-scan and post-scan repositories are clearly separated, ensuring that only post-scan images are deployed. Option E uses event-driven automation to handle the scanning results and image promotion, reducing manual intervention and ensuring that only images that pass the security scan are moved to the post-scan repositories. This approach is efficient and minimizes administrative overhead compared to manually setting up pipelines or replication mechanisms.
upvoted 4 times
...
tgv
11 months, 1 week ago
---> AE
upvoted 2 times
...
xdkonorek2
11 months, 2 weeks ago
Selected Answer: AE
E > D for LEAST administrative overhead
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel