Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 188 discussion

It allows the production ECS tasks in a different AWS account to pull images from the ECR repository in the main AWS account with the proper access control set via repository policies and ECS task execution role permissions

"You can configure your Amazon ECR private registry to support the replication of your repositories. Amazon ECR supports both cross-Region and cross-account replication" https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html If cross-account replication is enabled, then for Cross-account replication, choose the cross-account replication setting for the registry. For Destination account, enter the account ID for the destination account and one or more Destination regions to replicate to. Choose Destination account + to configure additional accounts as replication destinations. https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry-settings-configure.html

The correct answer is A: The company needs to move the production cluster into a separate AWS account in the same AWS Region. The repository is in a separate account, and permissions are set there, giving better isolation between environments.

Based the references provided, it would appear that both "C" and "D" could work to distribute an image, EXCEPT for the ""private connection" requirement. It's also seems like a cleaner solution to just rely on one ECR repository, rather than replicate repo's to other accounts in same region.

https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html

Ans D: Amazon ECS tasks to pull private images from Amazon ECR, you must create a gateway endpoint for Amazon S3. The gateway endpoint is required because Amazon ECR uses Amazon S3 to store your image layers.

ECR VPC endpoints is needed to meet "download the images over a private connection."

Use ECR VPC endpoints is necessary to meet the below requirements. `download the images over a private connection.`

https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html

C is correct: ECR private image replication can allow replicate image to the new account A and D: both mentions S3 gw, which is unnecessary B: no mention of how to replicate images cross account

Don't see the difference between A & D

https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html

Answer is D.

It's D

D - Using Amazon ECR VPC endpoints ensures that the ECS tasks in both the development and production clusters can pull Docker images securely over a private connection.