SAP-C02 · Question #574
SAP-C02 Question #574: Real Exam Question with Answer & Explanation
The correct answer is A: Create a private repository in Amazon ECR. Create a permissions policy for the repository that. The company needs to store Docker images in Amazon ECR, restrict access to accounts within its AWS Organization, and implement specific retention policies for tagged (all) and untagged (5 most recent) images with minimal operational overhead.
Question
A company uses AWS Organizations to manage a multi-account structure. The company has hundreds of AWS accounts and expects the number of accounts to increase. The company is building a new application that uses Docker images. The company will push the Docker images to Amazon Elastic Container Registry (Amazon ECR). Only accounts that are within the company's organization should have access to the images. The company has a CI/CD process that runs frequently. The company wants to retain all the tagged images. However, the company wants to retain only the five most recent untagged images. Which solution will meet these requirements with the LEAST operational overhead?
Options
- ACreate a private repository in Amazon ECR. Create a permissions policy for the repository that
- BCreate a public repository in Amazon ECR. Create an IAM role in the ECR account. Set
- CCreate a private repository in Amazon ECR. Create a permissions policy for the repository that
- DCreate a public repository in Amazon ECR. Configure Amazon ECR to use an interface VPC
Explanation
The company needs to store Docker images in Amazon ECR, restrict access to accounts within its AWS Organization, and implement specific retention policies for tagged (all) and untagged (5 most recent) images with minimal operational overhead.
Common mistakes.
- B. A public ECR repository would allow broad access, failing to restrict access to only accounts within the organization, and creating an IAM role doesn't address the repository's public nature or retention rules.
- C. While creating a private repository and a permissions policy is correct for access control, this option does not include configuring a lifecycle policy to manage the specified image retention rules, which is a key requirement.
- D. A public ECR repository does not meet the requirement of restricting access to only organizational accounts, and configuring an interface VPC endpoint is for private connectivity, not for defining access policies or retention rules.
Concept tested. ECR Repository Access Control and Lifecycle Policies
Reference. https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html
Community Discussion
No community discussion yet for this question.