AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer describes a solution that uses a validating admission webhook in Amazon EKS to provide robust, non-bypassable enforcement. When ECR completes a vulnerability scan, an EventBridge rule triggers a Lambda function. This function processes the scan results and records the compliance status (e.g., 'BLOCKED') of the image digest in a DynamoDB table. The validating admission webhook, deployed in the EKS cluster, intercepts all pod creation requests. Before allowing a pod to be created, it queries the DynamoDB table to check the status of the requested container image. If the image is marked as 'BLOCKED', the webhook rejects the request, preventing the deployment. This approach is superior because enforcement happens at the cluster's control plane, making it impossible to bypass, unlike a CI/CD-based check.

The option suggesting the use of an ECR repository policy with an ecr:ImageTag condition is incorrect because AWS IAM policies and ECR repository policies do not support condition keys based on an image's Docker tag. Enforcement cannot be applied at the ECR pull layer using this method.

The option relying solely on the CI/CD pipeline for enforcement is less secure. While it would stop automated deployments, a user with sufficient permissions could still deploy a vulnerable image manually using kubectl or the AWS console, bypassing the pipeline check entirely.

The option to delete the vulnerable image is a reactive and destructive measure. It can create a race condition where a fast deployment process might pull the image before it is deleted. It also complicates debugging and auditing, as the problematic artifact is removed completely rather than being flagged and blocked.