ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company runs a sensitive payroll application on an Amazon EKS cluster. The security policy states that only container images that have been vulnerability-scanned and cryptographically signed in Amazon ECR may be deployed. Operations wants an automated, cluster-wide control that refuses pod creation if the image signature is missing or invalid. Which approach best satisfies these requirements while aligning with AWS security best practices?
Encrypt all worker-node EBS volumes with AWS KMS customer-managed keys so that unsigned images cannot be stored on the nodes.
Apply Kubernetes NetworkPolicies that deny egress traffic from pods to public container registries, forcing developers to reference internal ECR images only.
Enable EKS image-signature validation by deploying an admission controller (for example, an OPA Gatekeeper or AWS Signer-based webhook) that rejects any pod whose container image is not signed in the company's Amazon ECR repository.
Attach an IAM policy to each developer's user account that blocks the ecr:PutImage action unless the image tag follows the company's naming convention for approved releases.
Using an admission-control mechanism that checks image signatures at deployment time is the most reliable way to ensure every pod executes only pre-approved, signed images. EKS supports integrating AWS Signer with Amazon ECR and deploying an admission controller (for example, an OPA Gatekeeper or AWS Signer-based webhook) that verifies the digital signature on the image manifest before the Kubernetes API server admits the pod. NetworkPolicies only control runtime traffic and do not validate image provenance. Restricting developers from pushing unsigned images reduces risk but cannot stop a manifest from referencing an unsigned image in another account or registry, and it does not provide enforcement at run time. Encrypting worker-node volumes protects data at rest but does nothing to ensure that only signed images are deployed. Therefore, the admission-controller-based signature validation is the most effective and comprehensive control.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an admission controller in Kubernetes?
Open an interactive chat with Bash
How does Amazon EKS integrate AWS Signer for container image validation?
Open an interactive chat with Bash
What is Open Policy Agent (OPA) Gatekeeper, and how is it used in Kubernetes security?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .