Skip to main content

AWS DVA-C02 Drill: Container Image Security - Early Image Scanning in CI/CD

·938 words·5 mins·
Certification Drills AWS DVA-C02 ECR CodePipeline Container Security
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.

For AWS DVA-C02 candidates, the confusion often lies in where in the pipeline to embed container image scanning to catch vulnerabilities early without blocking delivery unnecessarily. In production, this is about knowing exactly how to integrate image scanning with CodePipeline and ECR scan results in a way that leverages automation and avoids developer friction. Let’s drill down.

The Certification Drill (Simulated Question)
#

Scenario
#

NimbusSoft, a software development company, builds containerized microservices for their cloud applications. They use Amazon Elastic Container Registry (ECR) to store Docker images, and Amazon Elastic Kubernetes Service (EKS) to run the workloads. Their CI/CD pipelines are orchestrated by AWS CodePipeline. Currently, after a new container image is deployed to the development environment namespace in the EKS cluster, a dynamic application security testing (DAST) tool runs to identify vulnerabilities.

The security team wants to shift the container image security analysis earlier in the pipeline—before any deployment—so that vulnerabilities are found sooner and fixes get integrated faster. The lead developer is asked to design a solution that automatically scans the container image right after it is built, and that can fail the pipeline if vulnerabilities are detected, all while minimizing operational overhead.

The Requirement
#

Implement an image scanning stage in the CodePipeline that runs immediately after the container image build step, using ECR image scanning features, and that automatically fails the pipeline if vulnerabilities are found, achieving the highest operational efficiency and automation.

The Options
#

  • A) Build the container image locally and run docker scan. Require developers to fix any security issues before committing code by enforcing a local pre-commit hook.

  • B) Add a new stage in CodePipeline after the image build. Enable ECR basic image scanning configured to scan upon image push. Use an AWS Lambda function as the CodePipeline action provider to analyze the scan results and fail the pipeline if vulnerabilities exist.

  • C) Add a new stage in CodePipeline right after source code checkout. Run a source code security scanner on the latest code revision and fail the pipeline on findings.

  • D) Add an action in the deployment stage of CodePipeline that runs just before deploying to the EKS cluster. Enable ECR basic image scanning on image push. Use an AWS Lambda function as the action provider to check scan results and fail deployment if problems are found.

Google adsense
#

leave a comment:

Correct Answer
#

B

Quick Insight: The Developer Imperative
#

The key is to integrate ECR image scanning right after image build and before deployment, automated via Lambda in CodePipeline. This avoids relying on manual scans or only scanning post-deployment, enabling faster feedback loops and operational efficiency.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option B

The Winning Logic
#

Option B describes adding a new stage directly after the image build step in CodePipeline, configuring ECR’s built-in basic image scanning to trigger on image push, and employing an AWS Lambda function as a pipeline action. This Lambda fetches the scan results from ECR and programmatically fails the pipeline if high or critical vulnerabilities are detected.

  • This approach automates the scan early in the pipeline, so vulnerability feedback happens before deployment.
  • This leverages AWS-managed ECR scanning, avoiding manual local scans and inconsistent developer execution.
  • Lambda integration with CodePipeline allows automation of pass/fail decisions based on actual scan results.
  • It fits seamlessly into the existing pipeline structure, minimizing operational complexity.
  • Results are actionable and centralized, supporting CI/CD best practices.

The Trap (Distractor Analysis)
#

  • Why not A?
    Relying on developers to locally run docker scan and pre-commit hooks is brittle and hard to enforce consistently. It is not automated or scalable for team-based pipelines.

  • Why not C?
    Scanning source code differs from container image scanning. Vulnerabilities in dependencies or built images won’t necessarily be detected at the source level, missing critical risk areas.

  • Why not D?
    Running the scan in the deployment stage delays vulnerability detection until late, risking wasting pipeline time and resources on deploying broken images. Scanning after build is more efficient operationally.

The Technical Blueprint
# 

# Example: Enabling ECR image scanning on image push
aws ecr put-image-scanning-configuration --repository-name my-service-repo --image-scanning-configuration scanOnPush=true

# Sample Lambda pseudo code to check scan results and fail pipeline
aws ecr describe-image-scan-findings --repository-name my-service-repo --image-id imageTag=latest

# In Lambda: parse findings, then call
aws codepipeline put-job-failure-result --job-id <jobId> --failure-details message="Vulnerabilities found" type=JobFailed

The Comparative Analysis
#

Option API Complexity Performance Use Case
A Low (local docker CLI) Slow, manual, unreliable Developer local enforcement, not scalable
B Medium (CodePipeline + Lambda + ECR APIs) Fast, automated Early scan in CI/CD, best dev automation
C Low (source code scan) Fast, but incomplete Source vulnerabilities only, not container
D Medium (Lambda + CodePipeline) Late feedback, inefficient Post-build scanning, wastes deployment time

Real-World Application (Practitioner Insight)
#

Exam Rule
#

For the exam, always pick ECR scan on image push plus Lambda automation in CodePipeline when you see container image security integrated into a CI/CD workflow.

Real World
#

In production, teams strengthen this by using third-party or advanced scanning tools (like Aqua or Twistlock) and extend scanning to multi-stage pipelines with automatic remediation bots— but learning the basics with ECR and Lambda is your first step.

(CTA) Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the AWS DVA-C02 exam.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.