SCS-C03 · Question #66
SCS-C03 Question #66: Real Exam Question with Answer & Explanation
The correct answer is C: Integrate Amazon Inspector into the CI/CD pipeline using SBOM generation and fail the pipeline. Amazon Inspector provides native CI/CD integration capabilities that allow security checks to occur before container images are pushed to Amazon ECR. According to AWS Certified Security - Specialty documentation, Inspector does not block image pushes automatically. Instead, preve
Question
A company experienced a security incident caused by a vulnerable container image that was pushed from an external CI/CD pipeline into Amazon ECR. Which solution will prevent vulnerable images from being pushed?
Options
- AEnable ECR enhanced scanning with Lambda blocking.
- BUse Amazon Inspector with EventBridge and Lambda.
- CIntegrate Amazon Inspector into the CI/CD pipeline using SBOM generation and fail the pipeline
- DEnable basic continuous ECR scanning.
Explanation
Amazon Inspector provides native CI/CD integration capabilities that allow security checks to occur before container images are pushed to Amazon ECR. According to AWS Certified Security - Specialty documentation, Inspector does not block image pushes automatically. Instead, prevention must occur inside the CI/CD pipeline itself. By generating a Software Bill of Materials (SBOM) using the Amazon Inspector SBOM generator and submitting it to Inspector for scanning, the pipeline can detect critical vulnerabilities before the image is uploaded. If vulnerabilities exceed policy thresholds, the pipeline fails, preventing Post-push scanning solutions only detect vulnerabilities after exposure. Event-driven blocking does not prevent the initial risk. AWS best practices require "shift-left" security controls to prevent vulnerable artifacts from entering production.
Community Discussion
No community discussion yet for this question.