exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 252 discussion

A company needs to increase the security of the container images that run in its production environment. The company wants to integrate operating system scanning and programming language package vulnerability scanning for the containers in its CI/CD pipeline. The CI/CD pipeline is an AWS CodePipeline pipeline that includes an AWS CodeBuild build project, AWS CodeDeploy actions, and an Amazon Elastic Container Registry (Amazon ECR) repository.

A DevOps engineer needs to add an image scan to the CI/CD pipeline. The CI/CD pipeline must deploy only images without CRITICAL and HIGH findings into production.

Which combination of steps will meet these requirements? (Choose two.)

  • A. Use Amazon ECR basic scanning.
  • B. Use Amazon ECR enhanced scanning.
  • C. Configure Amazon ECR to submit a Rejected status to the CI/CD pipeline when the image scan returns CRITICAL or HIGH findings.
  • D. Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the image scan is completed. Configure the Lambda function to consume the Amazon Inspector scan status and to submit an Approved or Rejected status to the CI/CD pipeline.
  • E. Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the image scan is completed. Configure the Lambda function to consume the Clair scan status and to submit an Approved or Rejected status to the CI/CD pipeline.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
jamesf
7 months, 3 weeks ago
Selected Answer: BD
B. Use Amazon ECR Enhanced Scanning - Comprehensive Vulnerability Checks: Amazon ECR enhanced scanning is integrated with Amazon Inspector, providing thorough security checks on container images. It scans for both operating system vulnerabilities and application-level vulnerabilities in programming language packages, which basic scanning does not support. - Integration with Amazon Inspector: Enhanced scanning leverages Amazon Inspector for deeper vulnerability analysis, ensuring the images are secure before deployment. - CRITICAL and HIGH Severity Detection: The enhanced scanning option specifically identifies CRITICAL and HIGH vulnerabilities, aligning with the requirement to only deploy images that do not have these issues.
upvoted 2 times
...
d0229a2
7 months, 4 weeks ago
All images pushed to Amazon ECR after enhanced scanning is turned on are continually scanned for the configured duration.
upvoted 1 times
...
tgv
8 months ago
Selected Answer: BD
---> B D As per documentation, basic scanning use CVEs from the open-source Clair project. Enhanced scanning is an integration with Amazon Inspector. This suggests both options use different database/scanners. https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-basic.html
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago