Which solution will meet these requirements with the LEAST operational overhead?
Create a private repository in Amazon ECR. Create a permissions policy for the repository that allows only required ECR operations. Include a condition to allow the ECR operations if the value of the aws:PrincipalOrglD condition key is equal to the ID of the company’s organization. Add a lifecycle rule to the ECR repository that deletes all untagged images over the count of five
Create a public repository in Amazon ECR. Create an IAM role in the ECR account. Set permissions so that any account can assume the role if the value of the aws:PrincipalOrglD condition key is equal to the ID of the company’s organization. Add a lifecycle rule to the ECR repository that deletes all untagged images over the count of five.
Create a private repository in Amazon ECR. Create a permissions policy for the repository that includes only required ECR operations. Include a condition to allow the ECR operations for all account IDs in the organization Schedule a daily Amazon EventBridge rule to invoke an AWS Lambda function that deletes all untagged images over the count of five.
Create a public repository in Amazon ECR. Configure Amazon ECR to use an interface VPC endpoint with an endpoint policy that includes the required permissions for images that the company needs to pull. Include a condition to allow the ECR operations for all account IDs in the company’s organization. Schedule a daily Amazon EventBridge rule to invoke an AWS Lambda function that deletes all untagged images over the count of five.
Explanations:
This option uses a private ECR repository, ensuring that only accounts within the organization’s AWS Organization can access the images. The permissions policy with the condition onaws:PrincipalOrgIDeffectively restricts access to the intended accounts. The lifecycle rule correctly retains all tagged images while deleting untagged images beyond the count of five, meeting the requirements with minimal operational overhead.
A public repository is not appropriate for this scenario as it allows access from outside the organization, violating the requirement that only accounts within the company’s organization should have access. While the permissions condition could limit access, using a public repository introduces unnecessary risks and complexity. The lifecycle rule is correct, but the repository type is fundamentally flawed.
While this option uses a private repository and includes a permissions policy, it requires a scheduled Lambda function to manage untagged images, which adds operational overhead. The lifecycle rule could have been sufficient to manage the untagged images without needing a Lambda function, thus increasing complexity unnecessarily.
Similar to option B, using a public repository exposes the images to outside access, which is against the requirement for organization-only access. Additionally, scheduling a Lambda function to manage untagged images adds operational overhead. The use of VPC endpoints does not address the access control issue effectively as the repository type is inappropriate.