Which solution meets these requirements?
Configure scan on push on the repository. Use Amazon EventBridge (Amazon CloudWatch Events) to invoke an AWS Step Functions state machine when a scan is complete for images that have Critical or High severity findings. Use the Step Functions state machine to delete the image tag for those images and to notify the development team through Amazon Simple Notification Service (Amazon SNS).
Configure scan on push on the repository. Configure scan results to be pushed to an Amazon Simple Queue Service (Amazon SQS) queue. Invoke an AWS Lambda function when a new message is added to the SQS queue. Use the Lambda function to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Email Service (Amazon SES).
Schedule an AWS Lambda function to start a manual image scan every hour. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke another Lambda function when a scan is complete. Use the second Lambda function to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Notification Service (Amazon SNS).
Configure periodic image scan on the repository. Configure scan results to be added to an Amazon Simple Queue Service (Amazon SQS) queue. Invoke an AWS Step Functions state machine when a new message is added to the SQS queue. Use the Step Functions state machine to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Email Service (Amazon SES).
Explanations:
This solution uses “scan on push” for immediate scanning upon image upload, EventBridge to trigger a Step Functions state machine when a scan reveals Critical or High severity findings, and then uses the Step Functions state machine to delete the image tag and notify the development team via SNS. This approach satisfies all requirements for automated inspection, deletion, and notification.
Although this option leverages “scan on push” and uses SQS to queue scan results, it relies on SES for notification, which isn’t specified as a requirement. Additionally, using Lambda directly instead of a more robust workflow like Step Functions for tag deletion can make managing failure scenarios less straightforward.
This solution does not meet the real-time requirement because it schedules scans every hour, which could delay identifying and deleting vulnerable images. Using a second Lambda function to delete tags instead of a more comprehensive state machine limits control over the process and failure handling.
This option uses a periodic scan rather than “scan on push,” which may delay identifying vulnerabilities in new image versions. Also, it uses SES for notifications and relies on a Step Functions state machine invoked through SQS, which is more complex and indirect compared to using EventBridge directly.
I assess that the answer is:
Configure scan on push on the repository. Use Amazon EventBridge (Amazon CloudWatch Events) to invoke an AWS Step Functions state machine when a scan is complete for images that have Critical or High severity findings. Use the Step Functions state machine to delete the image tag for those images and to notify the development team through Amazon Simple Notification Service (Amazon SNS).