Question #836
A company uses AWS Organizations to manage multiple AWS accounts. The company is developing a serverless application that utilizes Lambda layers stored in Amazon Elastic Container Registry (Amazon ECR). The company needs to ensure that only accounts within their organization can access these layers. They want to retain all tagged layers indefinitely but keep only the three most recent untagged layers. The solution must minimize operational overhead. Which approach meets these requirements?
Create a private ECR repository. Apply a resource policy allowing ECR actions with a condition specifying aws:PrincipalOrgID matching the organization's ID. Configure a lifecycle policy to expire untagged images beyond the last three.
Create a public ECR repository. Define an IAM role with permissions for ECR access, allowing assumption by accounts within the organization via aws:PrincipalOrgID. Add a lifecycle rule to remove untagged layers exceeding three.
Set up a private ECR repository with a resource policy permitting ECR operations for organization account IDs. Schedule an AWS Lambda function triggered by EventBridge to delete untagged layers beyond three.
Use a public ECR repository with a VPC endpoint policy restricting access to organization accounts. Implement a daily Lambda function to manage untagged layer retention.
Explanation
Option A is correct because:
1. Private ECR Repository: Ensures layers are not publicly accessible.
2. Resource Policy: Uses aws:PrincipalOrgID to restrict access to accounts within the organization.
3. Lifecycle Policy: Automatically retains tagged layers indefinitely and expires untagged layers beyond the last three, eliminating manual intervention.
Other options fail because:
- B/C/D use public repositories (B/D) or rely on custom Lambda functions (C/D), which introduce security risks or operational overhead.
- B incorrectly uses a public repository, which allows external access unless explicitly blocked.
- C/D require maintaining Lambda functions, conflicting with the 'minimize operational overhead' requirement.
Key Points:
- Use ECR resource policies with aws:PrincipalOrgID for cross-account access within an organization.
- Leverage ECR lifecycle policies for automated retention rules.
- Avoid custom scripts (e.g., Lambda) when AWS-native features suffice.
Answer
The correct answer is: A