Question #1827
A company is using Amazon ECS to run their containerized applications. They need to ensure that all container images in their repository are automatically scanned for vulnerabilities both when new images are pushed and any existing images are rescanned periodically. The solution must require minimal changes to their current setup.
Which solution meets these requirements with the LEAST operational overhead?
Use Amazon ECR as the container registry. Enable automated scanning on image push and configure a scheduled scan for existing images using ECR's built-in features.
Store images in an Amazon S3 bucket. Use Amazon Inspector to scan images upon upload via S3 Event Notifications and set up an AWS Lambda function to trigger weekly scans.
Migrate the container workloads to AWS Fargate. Use Amazon ECR with enhanced scanning enabled to automatically scan images on push and perform recurring scans.
Implement a third-party image scanning tool integrated through AWS Lambda. Configure Amazon EventBridge to trigger scans on image push events and weekly rescans.
Explanation
Answer A is correct because Amazon ECR (Elastic Container Registry) natively supports automated vulnerability scanning when images are pushed and allows periodic rescans via its built-in features. This requires minimal operational overhead as it leverages AWS-managed services already integrated with ECS.
Option B is incorrect because storing images in S3 is not standard for ECS (which typically uses ECR), and Amazon Inspector focuses on runtime environments, not image scanning. Option C is redundant because AWS Fargate is unrelated to image scanning; ECR's enhanced scanning works regardless of the compute platform. Option D introduces third-party tools and custom Lambda/EventBridge setups, increasing operational complexity. Key takeaway: ECR's native scanning features fulfill the requirements with the least effort.
Answer
The correct answer is: A