Which solution will meet these requirements with the FEWEST changes to the workloads?
Use Amazon Elastic Container Registry (Amazon ECR) as a private image repository to store the container images. Specify scan on push filters for the ECR basic scan.
Store the container images in an Amazon S3 bucket. Use Amazon Macie to scan the images. Use an S3 Event Notification to initiate a Macie scan for every event with an s3:ObjectCreated:Put event type.
Deploy the workloads to Amazon Elastic Kubernetes Service (Amazon EKS). Use Amazon Elastic Container Registry (Amazon ECR) as a private image repository. Specify scan on push filters for the ECR enhanced scan.
Store the container images in an Amazon S3 bucket that has versioning enabled. Configure an S3 Event Notification for s3:ObjectCreated:* events to invoke an AWS Lambda function. Configure the Lambda function to initiate an Amazon Inspector scan.
Explanations:
Using Amazon ECR as a private image repository allows for the integration of vulnerability scanning directly upon image push, which meets the requirement of scanning new container images with minimal changes to existing workflows. The scan on push feature can be enabled easily without needing to change the ECS workload configurations.
Storing container images in an Amazon S3 bucket and using Amazon Macie to scan them is not suitable for scanning container images for vulnerabilities. Macie is primarily focused on data security and sensitive data discovery rather than CVE scanning. This option would require significant changes to the current workflow and is not designed for container image scanning.
While Amazon EKS can use Amazon ECR and perform vulnerability scanning, this option introduces a major change by requiring a shift from Amazon ECS to EKS. The question specifies that the solution should have the fewest changes to the workloads, making this option less favorable despite its potential for scanning.
Using an S3 bucket and initiating an AWS Lambda function to invoke Amazon Inspector introduces unnecessary complexity and delays in the scanning process. This method does not directly integrate with container image workflows in ECS, resulting in significant changes to how container images are managed and scanned, which goes against the requirement for minimal changes.
I estimate that the answer is:
Use Amazon Elastic Container Registry (Amazon ECR) as a private image repository to store the container images. Specify scan on push filters for the ECR basic scan.