Which solution will meet these requirements?
Enable KMS encryption on the existing ECR repositories. Install Amazon Inspector Agent from the ECS container instances’ user data. Run an assessment with the CVE rules.
Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Analyze the scan report after the next push of images.
Recreate the ECR repositories with KMS encryption and ECR scanning enabled. Install AWS Systems Manager Agent on the ECS container instances. Run an inventory report.
Enable KMS encryption on the existing ECR repositories. Use AWS Trusted Advisor to check the ECS container instances and to verily the findings against a list of current CVEs.
Explanations:
Enabling KMS encryption on existing ECR repositories is correct, but installing the Amazon Inspector Agent from ECS container instances’ user data and running a CVE assessment is not a valid method. Amazon Inspector cannot be installed on ECS instances this way to scan container images.
Recreating the ECR repositories with KMS encryption and ECR scanning enabled is the correct approach. ECR scanning automatically checks for CVEs in the container images after they are pushed, and the scanning results can be analyzed.
Recreating the ECR repositories with KMS encryption and enabling scanning is correct, but installing AWS Systems Manager Agent is unnecessary for CVE analysis in ECR. ECR scanning alone suffices for analyzing container images for CVEs.
Enabling KMS encryption on existing ECR repositories is correct, but AWS Trusted Advisor does not specifically handle CVE detection for ECS container images. It checks best practices and not CVE vulnerabilities.