Amazon Web Services DOP-C02 Exam With Confidence Using Practice Dumps

Amazon ECR enhanced scanning uses Amazon Inspector for vulnerability detection.

EventBridge can capture Inspector scan findings.

Lambda can process scan findings and reject manual approval if critical vulnerabilities exist.

Options A and C use incorrect or less integrated services (basic scanning or Detective).

Option B adds unnecessary complexity with SBOM and Athena.

Comprehensive and Detailed Explanation From Exact Extract of DevOps Engineer documents only:

During an Amazon ECS service deployment, if tasks fail the Elastic Load Balancing target group health checks, Amazon ECS considers those tasks unhealthy and stops and replaces them. This behavior can cause the deployment to remain incomplete because healthy replacement tasks never become available.

Also, if an essential container in the task exits, the entire task stops. Since the question states that the new tasks enter a stopped state soon after launch, an essential container failure is a direct and highly likely cause.

Why the other options are incorrect:

B. The IAM role used by the DevOps engineer to update the ECS service does not need RunTask permission for the tasks to remain running after launch. A permission issue here would more likely affect the update action itself rather than cause launched tasks to stop shortly afterward.

C. Although CloudWatch Logs configuration problems can affect logging, the missing log group is not the most likely direct reason for ECS tasks to repeatedly stop in this deployment scenario.

D. The task role provides permissions to the application code running inside the container. It is not the role primarily responsible for launching the task. Task startup is typically related to the task execution role, ECS service behavior, container health, and load balancer checks.

The solution that meets the requirements is to use EC2 Image Builder to create a container image pipeline, use Amazon ECR as the target repository, turn on enhanced scanning on the ECR repository, create an Amazon EventBridge rule to capture an Inspector2 finding event, and use the event to invoke the image pipeline. Re-upload the container to the repository.

This solution will continuously monitor the container repository for vulnerabilities using enhanced scanning, which is a feature of Amazon ECR that provides detailed information and guidance on how to fix security issues found in your container images. Enhanced scanning uses Inspector2, a security assessment service that integrates with Amazon ECR and generates findings for any vulnerabilities detected in your images. You can use Amazon EventBridge to create a rule that triggers an action when an Inspector2 finding event occurs. The action can be to invoke an EC2 Image Builder pipeline, which is a service that automates the creation of container images. The pipeline can use the latest patches and updates to build a new container image and upload it to the same ECR repository, replacing the vulnerable image.

The other options are not correct because they do not meet all the requirements or use services that are not relevant for the scenario.

Option B is not correct because it uses Amazon GuardDuty Malware Protection, which is a feature of GuardDuty that detects malicious activity and unauthorized behavior on your AWS accounts and resources. GuardDuty does not scan container images for vulnerabilities, nor does it integrate with Amazon ECR or EC2 Image Builder.

Option C is not correct because it uses basic scanning on the ECR repository, which only provides a summary of the vulnerabilities found in your container images. Basic scanning does not use Inspector2 or generate findings that can be captured by Amazon EventBridge. Moreover, basic scanning does not provide guidance on how to fix the vulnerabilities.

Option D is not correct because it uses AWS Systems Manager Compliance, which is a feature of Systems Manager that helps you monitor and manage the compliance status of your AWS resources based on AWS Config rules and AWS Security Hub standards. Systems Manager Compliance does not scan container images for vulnerabilities, nor does it integrate with Amazon ECR or EC2 Image Builder.