Please, review this question, it seems to have the wrong answer

[Michael Oliveira]

30. Question (Review Mode Set 3 – AWS Certified Security Specialty)

A startup is running its container-based application on AWS using AWS Fargate. The deployed application is in multiple application accounts (dev, qa, uat, and prod). The Security team must make sure that the container images are free from severe vulnerabilities. Additionally, the team must implement secure access controls to only allow the application accounts and specific roles access to the container images.

Which solution will satisfy the requirements with the LEAST operational overhead?

It shows the following answer as correct:

ANSWER MARKED AS CORRECT > Retrieve container images from a public container registry. Upload the acquired images to Amazon Elastic Container Registry (Amazon ECR) repositories, configuring “scan on push” in a centralized AWS account. Implement repository policies and attributes-based access control (ABAC) to govern access, restricting entry to designated IAM principals and AWS accounts authorized to access the images.

However, the following one mentions ABAC alternative, which requires less overhead maintenance than IAM policies as shown in most study guides for this exam:

CORRECT ANSWER > Retrieve container images from a public container registry. Upload the acquired images to Amazon Elastic Container Registry (Amazon ECR) repositories, configuring “scan on push” in a centralized AWS account. Implement repository policies and attributes-based access control (ABAC) to govern access, restricting entry to designated IAM principals and AWS accounts authorized to access the images.

The explanation for the second options being wrong mentions SSO, which is not mentioned on the answer itself.

• This discussion was modified 5 months ago by  Michael Oliveira.

[Neil-TutorialsDojo]

Hello Michael Oliveira,
Good day!

Thank you for posting here.

I understand the confusion. However, the correct answer specifically mentions using “repository policies and identity-based policies” to govern access to the container images in Amazon ECR. It does not mention ABAC at all.

The recommended approach, as outlined in the correct answer, is to “implement repository policies and identity-based policies to govern access, restricting access to specific IAM principals and AWS accounts authorized to use the images.” This method relies on Amazon ECR’s built-in access control mechanisms, such as repository policies and IAM identity-based policies.

As for the option mentioning ABAC, it is incorrect in this context because one way to implement ABAC in AWS is by using IAM Identity Center (formerly AWS Single Sign-On), which supports ABAC policies to manage access based on attributes such as department, role, or team. Additionally, while ABAC can be a powerful access control mechanism, it introduces additional complexity and operational overhead compared to using identity-based policies. Lastly, ABAC requires defining and managing custom attributes and policies, which can be more challenging to implement and maintain.

I hope this clears things up!

Best regards,
Neil @ Tutorials Dojo