SAP-C02 第 307 题
题目
A company uses AWS Organizations to manage a multi-account structure. The company has hundreds of AWS accounts and expects the number of accounts to increase. The company is building a new application that uses Docker images. The company will push the Docker images to Amazon Elastic Container Registry (Amazon ECR). Only accounts that are within the company’s organization should have access to the images. The company has a CI/CD process that runs frequently. The company wants to retain all the tagged images. However, the company wants to retain only the five most recent untagged images. Which solution will meet these requirements with the LEAST operational overhead?
中文翻译:
一家公司使用 AWS Organizations 来管理多账户结构。该公司拥有数百个 AWS 账户,预计账户数量还会增加。该公司正在构建一个使用 Docker 镜像的新应用程序。该公司将把 Docker 镜像推送到 Amazon Elastic Container Registry (Amazon ECR)。只有公司组织内的帐户才有权访问这些图像。该公司有一个频繁运行的 CI/CD 流程。该公司希望保留所有标记的图像。然而,该公司希望只保留最近的五张未标记的图像。哪种解决方案能够以最少的运营开销满足这些要求?
选项
A. Create a private repository in Amazon ECR. Create a permissions policy for the repository that allows only required ECR operations. Include a condition to allow the ECR operations if the value of the aws:PrincipalOrglD condition key is equal to the ID of the company’s organization. Add a lifecycle rule to the ECR repository that deletes all untagged images over the count of five
中文翻译:
在 Amazon ECR 中创建私有存储库。为存储库创建仅允许所需的 ECR 操作的权限策略。如果 aws:PrincipalOrglD 条件键的值等于公司组织的 ID,请包括允许 ECR 操作的条件。向 ECR 存储库添加生命周期规则,删除超过 5 个的所有未标记图像
B. Create a public repository in Amazon ECR. Create an IAM role in the ECR account. Set permissions so that any account can assume the role if the value of the aws:PrincipalOrglD condition key is equal to the ID of the company’s organization. Add a lifecycle rule to the ECR repository that deletes all untagged images over the count of five.
中文翻译:
在 Amazon ECR 中创建公共存储库。在 ECR 账户中创建 IAM 角色。设置权限,以便在 aws:PrincipalOrglD 条件键的值等于公司组织的 ID 时任何账户都可以代入该角色。将生命周期规则添加到 ECR 存储库,删除超过 5 个的所有未标记图像。
C. Create a private repository in Amazon ECR. Create a permissions policy for the repository that includes only required ECR operations. Include a condition to allow the ECR operations for all account IDs in the organization Schedule a daily Amazon EventBridge rule to invoke an AWS Lambda function that deletes all untagged images over the count of five.
中文翻译:
在 Amazon ECR 中创建私有存储库。为存储库创建仅包含所需 ECR 操作的权限策略。包含一个条件以允许对组织中的所有账户 ID 进行 ECR 操作 安排每日 Amazon EventBridge 规则来调用 AWS Lambda 函数,该函数将删除超过 5 个的所有未标记图像。
D. Create a public repository in Amazon ECR. Configure Amazon ECR to use an interface VPC endpoint with an endpoint policy that includes the required permissions for images that the company needs to pull. Include a condition to allow the ECR operations for all account IDs in the company’s organization. Schedule a daily Amazon EventBridge rule to invoke an AWS Lambda function that deletes all untagged images over the count of five.
中文翻译:
在 Amazon ECR 中创建公共存储库。配置 Amazon ECR 以使用接口 VPC 终端节点以及终端节点策略,其中包含公司需要拉取的映像所需的权限。包括允许对公司组织中的所有账户 ID 进行 ECR 操作的条件。安排每日 Amazon EventBridge 规则来调用 AWS Lambda 函数,该函数将删除超过 5 个的所有未标记图像。
答案
A
解析
正确答案:A 解析: 本题应选择 A。 正确选项: A. 在 Amazon ECR 中创建私有存储库。为存储库创建仅允许所需的 ECR 操作的权限策略。如果 aws:PrincipalOrglD 条件键的值等于公司组织的 ID,请包括允许 ECR 操作的条件。向 ECR 存储库添加生命周期规则,删除超过 5 个的所有未标记图像 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最...