Logo
AWS Certified Solutions Architect - Professional / Question #753 of 529

Question #753

A company is using Amazon ECR to store container images for their Amazon ECS tasks deployed on EC2 instances. They need an automated solution that scans new image versions upon push, deletes the image tag if Critical or High severity vulnerabilities are detected, and sends an email notification to the development team.

Which solution meets these requirements?

A

Enable automatic scanning on push in ECR. Configure an Amazon EventBridge rule to trigger an AWS Lambda function when a scan finds Critical or High severity findings. The Lambda function deletes the image tag and sends a notification using Amazon SNS.
B

Set up a daily scheduled scan using AWS Systems Manager. Use an EventBridge rule to invoke an AWS Step Functions workflow when the scan completes. The workflow deletes the image tag if vulnerabilities are found and notifies via Amazon SES.
C

Configure ECR to scan images on push and send results to an Amazon SQS queue. Use a Lambda function to process messages from the queue, delete tags for severe findings, and notify using Amazon SNS.
D

Use AWS Config to monitor ECR repositories. When a new image is pushed, trigger a Lambda function to perform a manual scan, delete the tag if needed, and send an email via Amazon SES.

Explanation

The correct answer is A because:
1. ECR automatic scanning on push ensures new images are scanned immediately.
2. EventBridge captures the ECR scan result event (e.g., ECR Image Scan) and triggers a Lambda function only when Critical/High vulnerabilities are found.
3. Lambda deletes the vulnerable image tag and sends notifications via SNS (simple and native integration).

Why other options are incorrect:
- B: Daily scans via Systems Manager are unnecessary (ECR scans on push) and Step Functions adds complexity.
- C: SQS is redundant since EventBridge natively handles ECR events.
- D: AWS Config is not designed for real-time scan triggers, and manual scans are inefficient.

Key Points:
- Use ECR’s built-in scanning with EventBridge for real-time automation.
- Lambda + SNS provides lightweight remediation and notifications.
- Avoid overcomplicating workflows with Step Functions or non-native services.

Answer

The correct answer is: A