Which solution will meet these requirements with the MOST operational efficiency?

By:
On:
In: DVA-C02
Tagged:
With: 0 Comments
A company needs to harden its container images before the images are in a running state.The company’s application uses Amazon Elastic Container Registry (Amazon ECR) as an image registry.Amazon Elastic Kubernetes Service (Amazon EKS) for compute, and an AWS CodePipeline pipeline that orchestrates a continuous integration and continuous delivery (CI/CD) workflow.Dynamic application security testing occurs in the final stage of the pipeline after a new image is deployed to a development namespace in the EKS cluster.A developer needs to place an analysis stage before this deployment to analyze the container image earlier in the CI/CD pipeline.

Which solution will meet these requirements with the MOST operational efficiency?

Build the container image and run the docker scan command locally. Mitigate any findings before pushing changes to the source code repository. Write a pre-commit hook that enforces the use of this workflow before commit.

Create a new CodePipeline stage that occurs after the container image is built. Configure ECR basic image scanning to scan on image push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings.

Create a new CodePipeline stage that occurs after source code has been retrieved from its repository. Run a security scanner on the latest revision of the source code. Fail the pipeline if there are findings.

Add an action to the deployment stage of the pipeline so that the action occurs before the deployment to the EKS cluster. Configure ECR basic image scanning to scan on image push. Use an AWS Lambda function as the action provider. Configure the Lambda function to check the scan results and to fail the pipeline if there are findings.

Explanations:

While running a local scan and using a pre-commit hook might help in identifying issues early, it requires manual intervention from developers and does not integrate into the CI/CD pipeline, leading to potential delays and inconsistencies in security practices.

This option integrates seamlessly into the existing CI/CD pipeline. By adding a stage to scan the container image after it’s built and leveraging ECR’s image scanning capabilities with a Lambda function to fail the pipeline on findings, it ensures that vulnerabilities are identified early without additional manual steps, maintaining operational efficiency.

This option focuses on scanning the source code instead of the container image, which may not directly address the vulnerabilities that could arise from the built container image. Additionally, it introduces complexity by requiring a source code analysis rather than focusing on the image that will be deployed.

This option delays the scanning process until after the image is built but before deployment. While it uses ECR’s scanning, it does not provide the same level of operational efficiency as option B because it does not scan the image immediately after it’s built, which could result in findings being addressed too late in the pipeline.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × 5 =