A company runs workloads on Amazon Elastic Container Service (Amazon ECS). The container images used by the ECS task definitions need to be scanned for Common Vulnerabilities and Exposures (CVEs). New images must also be scanned when created. Which solution meets these requirements with the FEWEST changes to the workloads?
Choose an answer
Tap an option to check your answer.
Correct answer: Use Amazon Elastic Container Registry (Amazon ECR) as a private image repository to store the container images. Specify scan on push filters for the ECR basic scan..
Why this is the answer
Using Amazon ECR as a private image repository with scan on push filters for the ECR basic scan is the most efficient solution. ECR natively integrates vulnerability scanning for container images, automatically identifying CVEs upon image push. This requires minimal changes to existing ECS workloads, as ECS already pulls images from ECR. Storing images in an S3 bucket and using Macie is incorrect because Macie is designed for data discovery and classification, not for scanning container images for CVEs. Deploying to EKS is a significant architectural change, not a solution with the fewest changes. Storing images in S3 and using a Lambda function to initiate an Amazon Inspector scan is overly complex and requires custom development, whereas ECR provides this functionality natively.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed