Which solution will meet these requirements?
Use EC2 Image Builder to create a container image pipeline. Use Amazon ECR as the target repository. Turn on enhanced scanning on the ECR repository. Create an Amazon EventBridge rule to capture an Inspector? finding event. Use the event to invoke the image pipeline. Re-upload the container to the repository.
Use EC2 Image Builder to create a container image pipeline. Use Amazon ECR as the target repository. Enable Amazon GuardDuty Malware Protection on the container workload. Create an Amazon EventBridge rule to capture a GuardDuty finding event. Use the event to invoke the image pipeline.
Create an AWS CodeBuild project to create a container image. Use Amazon ECR as the target repository. Turn on basic scanning on the repository. Create an Amazon EventBridge rule to capture an ECR image action event. Use the event to invoke the CodeBuild project. Re-upload the container to the repository.
Create an AWS CodeBuild project to create a container image. Use Amazon ECR as the target repository. Configure AWS Systems Manager Compliance to scan all managed nodes. Create an Amazon EventBridge rule to capture a configuration compliance state change event. Use the event to invoke the CodeBuild project.
Explanations:
This option effectively utilizes EC2 Image Builder to create a container image pipeline, enabling the automatic creation of new container images when vulnerabilities are detected. By enabling enhanced scanning in Amazon ECR and using EventBridge to trigger the image pipeline on an Amazon Inspector finding event, it ensures that the container image is updated and re-uploaded to ECR when vulnerabilities are identified, meeting the continuous monitoring requirement.
While this option uses EC2 Image Builder and Amazon ECR, enabling GuardDuty Malware Protection does not specifically detect OS vulnerabilities or language package vulnerabilities in the container images. Additionally, GuardDuty is primarily for threat detection, not vulnerability scanning, which does not align with the requirement for continuous monitoring for specific vulnerabilities in container images.
This option creates an AWS CodeBuild project to build a container image and enables basic scanning on the ECR repository. However, basic scanning does not provide comprehensive vulnerability detection compared to enhanced scanning. Capturing an ECR image action event does not necessarily correlate to detecting vulnerabilities, as it focuses on actions taken on images rather than ongoing vulnerability assessment.
This option involves using AWS CodeBuild to create a container image and AWS Systems Manager Compliance for scanning, but it is not directly tied to the detection of vulnerabilities in the container images themselves. Compliance scanning is geared toward ensuring configuration compliance rather than actively monitoring for vulnerabilities in container workloads, thus not fulfilling the requirement for continuous vulnerability detection.
I figure that the answer is:
Use EC2 Image Builder to create a container image pipeline. Use Amazon ECR as the target repository. Turn on enhanced scanning on the ECR repository. Create an Amazon EventBridge rule to capture an Inspector? finding event. Use the event to invoke the image pipeline. Re-upload the container to the repository.