Which solution meets these requirements?
Configure scan on push on the repository. Use Amazon EventBridge to invoke an AWS Step Functions state machine when a scan is complete for images that have Critical or High severity findings. Use the Step Functions state machine to delete the image tag for those images and to notify the development team through Amazon Simple Notification Service (Amazon SNS).
Configure scan on push on the repository. Configure scan results to be pushed to an Amazon Simple Queue Service (Amazon SQS) queue. Invoke an AWS Lambda function when a new message is added to the SQS queue. Use the Lambda function to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Email Service (Amazon SES).
Schedule an AWS Lambda function to start a manual image scan every hour. Configure Amazon EventBridge to invoke another Lambda function when a scan is complete. Use the second Lambda function to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Notification Service (Amazon SNS).
Configure periodic image scan on the repository. Configure scan results to be added to an Amazon Simple Queue Service (Amazon SQS) queue. Invoke an AWS Step Functions state machine when a new message is added to the SQS queue. Use the Step Functions state machine to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Email Service (Amazon SES).
Explanations:
This option correctly uses Amazon EventBridge to invoke an AWS Step Functions state machine after a scan is complete. The state machine can delete image tags with Critical or High severity findings and notify the development team via Amazon SNS. It aligns with the requirements for automatic deletion and notification.
This option involves using an SQS queue to push scan results and invoking a Lambda function to delete image tags. While it deletes tags and can notify the team via SES, it does not leverage the direct scanning results to trigger actions efficiently, making it less optimal compared to options using EventBridge or Step Functions.
This option schedules a manual scan every hour, which is not as efficient as the scan-on-push configuration. It relies on EventBridge to invoke another Lambda function after the scan, which is an indirect approach and may not provide timely deletion and notification compared to real-time event-driven approaches.
This option uses an SQS queue with periodic image scans, which is less efficient compared to a scan-on-push approach. Additionally, using Step Functions adds unnecessary complexity when a simpler event-driven architecture could suffice. The delayed processing may result in a lag in handling critical vulnerabilities.
I arrange that the answer is:
Configure scan on push on the repository. Use Amazon EventBridge to invoke an AWS Step Functions state machine when a scan is complete for images that have Critical or High severity findings. Use the Step Functions state machine to delete the image tag for those images and to notify the development team through Amazon Simple Notification Service (Amazon SNS).