Question 6
Domain 1: SDLC AutomationA company uses an HPC platform to run analysis jobs for data. The company uses AWS CodeBuild to create container images and store the images on Amazon Elastic Container Registry (Amazon ECR). The images are then deployed on Amazon Elastic Kubernetes Service (Amazon EKS). To maintain compliance, the company needs to ensure that the images are signed before the images are deployed on Amazon EKS. The signing keys must be rotated periodically and must be managed automatically. The company needs to track who generates the signatures. Which solution will meet these requirements with the LEAST operational effort?
Correct answer: D
Explanation
AWS Signer provides managed code signing, so the signing keys are “managed automatically” and can be rotated without extra key administration. CloudTrail records API activity, letting the company “track who generates the signatures” by auditing the signing requests before the image is pushed to Amazon ECR and deployed on Amazon EKS.
Why each option is right or wrong
A. Use CodeBuild to retrieve the image that was previously pushed to Amazon ECR. Use AWS Signer to sign the image. Use AWS CloudTrail to track who generates the signatures.
Signing after pushing to ECR adds an unnecessary extra step instead of enforcing signing earlier in the build flow.
B. Use AWS Lambda to retrieve the image that was previously pushed to Amazon ECR. Use a Lambda function to sign the image. Use Amazon CloudWatch to track who generates the signatures.
Lambda-based custom signing increases operational work, and CloudWatch is not the primary API audit trail service.
C. Use AWS Lambda to retrieve the image that was previously pushed to Amazon ECR. Use AWS Signer to sign the image. Use Amazon CloudWatch to track who generates the signatures.
AWS Signer fits signing, but Lambda retrieval is extra complexity and CloudWatch does not track API callers like CloudTrail.
D. Use CodeBuild to build the image. Sign the image by using AWS Signer before pushing the image to Amazon ECR. Use AWS CloudTrail to track who generates the signatures.
AWS Signer is the managed signing service under the AWS Signer API, so the signing keys are created, stored, and rotated by AWS rather than by the company; that satisfies the requirement for automatic key management with no custom KMS key-rotation workflow. CloudTrail records the AWS Signer API calls, including the identity that invoked the signing action, so the company can audit who generated each signature before the image is pushed to Amazon ECR and later deployed to Amazon EKS.